Date: 20 September 2006
References: AL-2006.0082 AU-2006.0034 ESB-2006.0697
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2006.0081 -- AUSCERT ALERT
[Win]
Unpatched Microsoft Internet Explorer VML Buffer Overflow
Being Actively Exploited
20 September 2006
===========================================================================
AusCERT Alert Summary
---------------------
Product: Microsoft Internet Explorer
Publisher: US-CERT
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2006-3866
Original Bulletin: http://www.kb.cert.org/vuls/id/416092
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-262A
Microsoft Internet Explorer VML Buffer Overflow
Original release date: September 19, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
Overview
Microsoft Internet Explorer (IE) fails to properly handle Vector
Markup Language (VML) tags. This creates a buffer overflow
vulnerability that could allow a remote attacker to execute
arbitrary code.
I. Description
Microsoft Internet Explorer contains a stack buffer overflow in
code that handles VML. More information is available in
Vulnerability Note VU#416092 and Microsoft Security Advisory
(925568).
Note that this vulnerability is being exploited.
II. Impact
By convincing a user to open a specially crafted HTML document,
such as a web page or HTML email message, a remote attacker could
execute arbitrary code with the privileges of the user running IE.
III. Solution
We are currently unaware of a complete solution to this
problem. Until an update is available, consider the following
workarounds.
Disable VML support in IE
Microsoft Security Advisory (925568) suggests the following
techinques to disable VML support in IE:
* Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP
Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1
* Modify the Access Control List on Vgx.dll to be more restrictive
* Configure Internet Explorer 6 for Microsoft Windows XP Service
Pack 2 to disable Binary and Script Behaviors in the Internet
and Local Intranet security zone
Disabling VML support may cause web sites that use VML to function
improperly.
Render email as plain text
Microsoft Security Advisory (925568) suggests configuring Microsoft
Outlook and Outlook Express to render email messages in plain text
format.
Do not follow unsolicited links
In order to convince users to visit their sites, attackers often
use URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do
not click on unsolicited links received in email, instant messages,
web forums, or internet relay chat (IRC) channels. Type URLs
directly into the browser to avoid these misleading links. While
these are generally good security practices, following these
behaviors will not prevent exploitation of this vulnerability in
all cases, particularly if a trusted site has been compromised or
allows cross-site scripting.
IV. References
* Vulnerability Note VU#416092 -
<http://www.kb.cert.org/vuls/id/416092>
* Securing Your Web Browser-
<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Ex
plorer>
* Microsoft Security Advisory (925568) -
<http://www.microsoft.com/technet/security/advisory/925568.mspx>
* CVE-2006-3866 -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3866>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-262A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-262A Feedback VU#416092" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Sep 19, 2006: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRRBphexOF3G+ig+rAQKjKwf/SqhuYNpSDw7n677sSaIPQArefSWbVZOy
oTDVz6Xg9bJ5mMiueAQY+OYDn/kHo3WepBdRjx+Cj36Js+9l2lTF+MO5S3k4AFWW
vG8RHLAvpaxCGWAupy8HjMW3MG+1unioJZYd8Xu916RUjgyVq36V0uSsAhaaBv2h
oRA7fft30VtTlOQ0TQFd+cJSH7uyfXA31e3tVTzDpclXvskm8Rb5h/KFP56i52ld
Uz/SSXPIIoFM0GTMknOSPh32Itp+MJj7ZDKQ2E2GR1GurUC33MObOUeRINrLndfX
9I2bbDcTw5vVnWFWqm45KRZTEvbBXNOXhAtgZmYje2NF4IxxvMiGhw==
=I3e8
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRRB/Zyh9+71yA2DNAQIIRAP+KLEE+UZP4Na1idKlNTgkpIVUTcHrEql2
cKi+AvQ220rG5JnEw70/nMNqRiF651YXSknmOpbhYhVR/gygU5OXB7lv0ideWHJM
sTX60ysWO1/GOLNFgVoIOo2gLzmM13XiGjHBhTbaiCChpH+4uzE3qhK+RGRYgsej
88Y3tQMN2w8=
=RtLY
-----END PGP SIGNATURE-----
|