Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer VML Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016879
SecurityTracker URL:
CVE Reference:   CVE-2006-4868   (Links to External Site)
Updated:  Sep 20 2006
Original Entry Date:  Sep 19 2006
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Microsoft Internet Explorer (IE). A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow in 'Vgx.dll' in the processing of Vector Markup Language (VML) text and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Sunbelt Software reported this vulnerability. Exploit code was discovered by Sunbelt Software Security Researchers.

This vulnerability is being actively exploited.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.

Microsoft reports that their goal is to release an update on Tuesday, October 10, 2006, or sooner.

Some workarounds are described in the Microsoft advisory.

The Microsoft advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (2000), Windows (2003), Windows (XP)
Underlying OS Comments:  2000 SP4, 2003 SP1, XP SP2; and prior service packs

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 26 2006 (Microsoft Issues Fix) Microsoft Internet Explorer VML Buffer Overflow Lets Remote Users Execute Arbitrary Code
Microsoft has issued a fix.

 Source Message Contents

Subject:  [Full-disclosure] [SECURITY] Sunbelt Software: New Microsoft

Sunbelt Software Security Advisory


A new Microsoft Internet Explorer exploit has been found in the wild by
Sunbelt Software Security Researchers.

This exploit uses a buffer overflow in the IE's VML code to execute code
remotely. Contact for further information.


Analysis information and exploit code has been released to security
companies and security researchers. This exploit currently affects fully
patched versions of Microsoft Internet Explorer 6 on Windows XP Home and
Windows XP Professional. Other Microsoft Windows versions and Microsoft
Internet Explorer versions are being tested.


9/15/2006 - Found in the wild but was unable to confirm.
9/18/2006 - Reliable exploit found on multiple websites.
9/18/2006 - Exploit used to install Virtumonde.
9/18/2006 - Exploit websites changed to install Virtumonde plus the
following malware -, BookedSpace Browser
Plug-in , AvenueMedia.InternetOptimizer, Claria.GAIN.CommonElements,
Mirar Toolbar, 7FaSSt Toolbar, webHancer, Trojan.SvcHost, Trojan.Delf,
Begin2Search Toolbar, MediaMotor Trojan Downloader,
Trojan-Downloader.Winstall, TargetSaver Browser Plug-in, InternetOffers
Adware, SurfSideKick, Trojan.Vxgame , SafeSurfing.RsyncMon,
Trojan-Downloader.Small , Freeprod/Toolbar888,
ConsumerAlertSystem.CASClient, SpySheriff, Trojan-Downloader.Qoologic,
Zenotecnico, Command Service , WebNexus, Webext Browser Plug-in,
CWS.Dialerz, DollarRevenue , Trojan-Downloader.Gen, Danmec.B-dll,
Traff-Acc , EliteMediaGroup , NetMon, TagASaurus,
Trojan-Downloader.Win32.Small.awa, FullContext.EQAdvice,
Trojan-Clicker.Win32.VB.ij, Yazzle.Cowabanga Misc, Backdoor.Shellbot,
Trojan.Danmec , TopInstalls.Banners, Trojan-Dropper.Delf.VA,
Adware.Batty, Trojan-Downloader.Win32.Small.cyh, Toolbar.CommonElements,
Trojan.Win32.PePatch.dw , Backdoor.Win32.Delf.aml, BookedSpace.
9/18/2006 - Reported to Microsoft Security and other Security Companies
and Researchers


Adam Thomas, Security Researchers at Sunbelt Software
Eric Sites, VP of Research & Development at Sunbelt Software
Security Research Team at Sunbelt Software

Related Links:

Copyright (c) 2006 Sunbelt Software

Eric Sites
VP of Research & Development
Sunbelt Software

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC