SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
Microsoft Internet Explorer VML Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016879
SecurityTracker URL:  http://securitytracker.com/id/1016879
CVE Reference:   CVE-2006-4868   (Links to External Site)
Updated:  Sep 20 2006
Original Entry Date:  Sep 19 2006
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Microsoft Internet Explorer (IE). A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow in 'Vgx.dll' in the processing of Vector Markup Language (VML) text and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Sunbelt Software reported this vulnerability. Exploit code was discovered by Sunbelt Software Security Researchers.

This vulnerability is being actively exploited.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.

Microsoft reports that their goal is to release an update on Tuesday, October 10, 2006, or sooner.

Some workarounds are described in the Microsoft advisory.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/advisory/925568.mspx

Vendor URL:  www.microsoft.com/technet/security/advisory/925568.mspx (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (2000), Windows (2003), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 26 2006 (Microsoft Issues Fix) Microsoft Internet Explorer VML Buffer Overflow Lets Remote Users Execute Arbitrary Code
Microsoft has issued a fix.



 Source Message Contents

Date:  Tue, 19 Sep 2006 03:06:27 -0400
Subject:  [Full-disclosure] [SECURITY] Sunbelt Software: New Microsoft

Sunbelt Software Security Advisory

Description:

A new Microsoft Internet Explorer exploit has been found in the wild by
Sunbelt Software Security Researchers.

This exploit uses a buffer overflow in the IE's VML code to execute code
remotely. Contact eric@sunbelt-software.com for further information.

Analysis:

Analysis information and exploit code has been released to security
companies and security researchers. This exploit currently affects fully
patched versions of Microsoft Internet Explorer 6 on Windows XP Home and
Windows XP Professional. Other Microsoft Windows versions and Microsoft
Internet Explorer versions are being tested.

Chronology:

9/15/2006 - Found in the wild but was unable to confirm.
9/18/2006 - Reliable exploit found on multiple websites.
9/18/2006 - Exploit used to install Virtumonde.
9/18/2006 - Exploit websites changed to install Virtumonde plus the
following malware - Trojan-PSW.Win32.Sinowal.aq, BookedSpace Browser
Plug-in , AvenueMedia.InternetOptimizer, Claria.GAIN.CommonElements,
Mirar Toolbar, 7FaSSt Toolbar, webHancer, Trojan.SvcHost, Trojan.Delf,
Begin2Search Toolbar, MediaMotor Trojan Downloader,
Trojan-Downloader.Winstall, TargetSaver Browser Plug-in, InternetOffers
Adware, SurfSideKick, Trojan.Vxgame , SafeSurfing.RsyncMon,
Trojan-Downloader.Small , Freeprod/Toolbar888,
ConsumerAlertSystem.CASClient, SpySheriff, Trojan-Downloader.Qoologic,
Zenotecnico, Command Service , WebNexus, Webext Browser Plug-in,
CWS.Dialerz, DollarRevenue , Trojan-Downloader.Gen, Danmec.B-dll,
Traff-Acc , EliteMediaGroup , NetMon, TagASaurus,
Trojan-Downloader.Win32.Small.awa, FullContext.EQAdvice,
Trojan-Clicker.Win32.VB.ij, Yazzle.Cowabanga Misc, Backdoor.Shellbot,
Trojan.Danmec , TopInstalls.Banners, Trojan-Dropper.Delf.VA,
Adware.Batty, Trojan-Downloader.Win32.Small.cyh, Toolbar.CommonElements,
Trojan.Win32.PePatch.dw , Backdoor.Win32.Delf.aml, BookedSpace.
9/18/2006 - Reported to Microsoft Security and other Security Companies
and Researchers

Credits:

Adam Thomas, Security Researchers at Sunbelt Software
Eric Sites, VP of Research & Development at Sunbelt Software
Security Research Team at Sunbelt Software

Related Links:

http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be
ing.html
http://research.sunbelt-software.com/
http://www.sunbelt-software.com/

Copyright (c) 2006 Sunbelt Software

Eric Sites
VP of Research & Development
Sunbelt Software
eric@sunbelt-software.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC