Microsoft Internet Explorer VML Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1016879|
SecurityTracker URL: http://securitytracker.com/id/1016879
(Links to External Site)
Updated: Sep 20 2006|
Original Entry Date: Sep 19 2006
Execution of arbitrary code via network, User access via network|
Vendor Confirmed: Yes |
A vulnerability was reported in Microsoft Internet Explorer (IE). A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow in 'Vgx.dll' in the processing of Vector Markup Language (VML) text and execute arbitrary code on the target system. The code will run with the privileges of the target user.
Sunbelt Software reported this vulnerability. Exploit code was discovered by Sunbelt Software Security Researchers.
This vulnerability is being actively exploited.
A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.|
No solution was available at the time of this entry.|
Microsoft reports that their goal is to release an update on Tuesday, October 10, 2006, or sooner.
Some workarounds are described in the Microsoft advisory.
The Microsoft advisory is available at:
Vendor URL: www.microsoft.com/technet/security/advisory/925568.mspx (Links to External Site)
|Underlying OS: Windows (2000), Windows (2003), Windows (XP)|
|Underlying OS Comments: 2000 SP4, 2003 SP1, XP SP2; and prior service packs|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [Full-disclosure] [SECURITY] Sunbelt Software: New Microsoft|
Sunbelt Software Security Advisory
A new Microsoft Internet Explorer exploit has been found in the wild by
Sunbelt Software Security Researchers.
This exploit uses a buffer overflow in the IE's VML code to execute code
remotely. Contact firstname.lastname@example.org for further information.
Analysis information and exploit code has been released to security
companies and security researchers. This exploit currently affects fully
patched versions of Microsoft Internet Explorer 6 on Windows XP Home and
Windows XP Professional. Other Microsoft Windows versions and Microsoft
Internet Explorer versions are being tested.
9/15/2006 - Found in the wild but was unable to confirm.
9/18/2006 - Reliable exploit found on multiple websites.
9/18/2006 - Exploit used to install Virtumonde.
9/18/2006 - Exploit websites changed to install Virtumonde plus the
following malware - Trojan-PSW.Win32.Sinowal.aq, BookedSpace Browser
Plug-in , AvenueMedia.InternetOptimizer, Claria.GAIN.CommonElements,
Mirar Toolbar, 7FaSSt Toolbar, webHancer, Trojan.SvcHost, Trojan.Delf,
Begin2Search Toolbar, MediaMotor Trojan Downloader,
Trojan-Downloader.Winstall, TargetSaver Browser Plug-in, InternetOffers
Adware, SurfSideKick, Trojan.Vxgame , SafeSurfing.RsyncMon,
Trojan-Downloader.Small , Freeprod/Toolbar888,
ConsumerAlertSystem.CASClient, SpySheriff, Trojan-Downloader.Qoologic,
Zenotecnico, Command Service , WebNexus, Webext Browser Plug-in,
CWS.Dialerz, DollarRevenue , Trojan-Downloader.Gen, Danmec.B-dll,
Traff-Acc , EliteMediaGroup , NetMon, TagASaurus,
Trojan-Clicker.Win32.VB.ij, Yazzle.Cowabanga Misc, Backdoor.Shellbot,
Trojan.Danmec , TopInstalls.Banners, Trojan-Dropper.Delf.VA,
Adware.Batty, Trojan-Downloader.Win32.Small.cyh, Toolbar.CommonElements,
Trojan.Win32.PePatch.dw , Backdoor.Win32.Delf.aml, BookedSpace.
9/18/2006 - Reported to Microsoft Security and other Security Companies
Adam Thomas, Security Researchers at Sunbelt Software
Eric Sites, VP of Research & Development at Sunbelt Software
Security Research Team at Sunbelt Software
Copyright (c) 2006 Sunbelt Software
VP of Research & Development
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Go to the Top of This SecurityTracker Archive Page