=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN501
_____________________________________________________________________

DATE                      : 19/09/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Microsoft Internet Explorer.

======================================================================

                      National Cyber Alert System

                Technical Cyber Security Alert TA06-262A


Microsoft Internet Explorer VML Buffer Overflow

    Original release date: September 19, 2006
    Last revised: --
    Source: US-CERT


Systems Affected

      * Microsoft Windows
      * Microsoft Internet Explorer


Overview

    Microsoft Internet Explorer (IE) fails to properly handle Vector
    Markup Language (VML) tags. This creates a buffer overflow
    vulnerability that could allow a remote attacker to execute
    arbitrary code.


I. Description

    Microsoft Internet Explorer contains a stack buffer overflow in
    code that handles VML. More information is available in
    Vulnerability Note VU#416092 and Microsoft Security Advisory
    (925568).

    Note that this vulnerability is being exploited.


II. Impact

    By convincing a user to open a specially crafted HTML document,
    such as a web page or HTML email message, a remote attacker could
    execute arbitrary code with the privileges of the user running IE.


III. Solution

    We are currently unaware of a complete solution to this
    problem. Until an update is available, consider the following
    workarounds.

Disable VML support in IE

    Microsoft Security Advisory (925568) suggests the following
    techinques to disable VML support in IE:

      * Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP
        Service Pack 2; Windows Server 2003 and Windows Server 2003
        Service Pack 1

      * Modify the Access Control List on Vgx.dll to be more restrictive

      * Configure Internet Explorer 6 for Microsoft Windows XP Service
        Pack 2 to disable Binary and Script Behaviors in the Internet
        and Local Intranet security zone

    Disabling VML support may cause web sites that use VML to function
    improperly.

Render email as plain text

    Microsoft Security Advisory (925568) suggests configuring Microsoft
    Outlook and Outlook Express to render email messages in plain text
    format.

Do not follow unsolicited links

    In order to convince users to visit their sites, attackers often
    use URL encoding, IP address variations, long URLs, intentional
    misspellings, and other techniques to create misleading links. Do
    not click on unsolicited links received in email, instant messages,
    web forums, or internet relay chat (IRC) channels. Type URLs
    directly into the browser to avoid these misleading links. While
    these are generally good security practices, following these
    behaviors will not prevent exploitation of this vulnerability in
    all cases, particularly if a trusted site has been compromised or
    allows cross-site scripting.


IV. References

      * Vulnerability Note VU#416092 -
        <http://www.kb.cert.org/vuls/id/416092>

      * Securing Your Web Browser-
        <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Ex
        plorer>

      * Microsoft Security Advisory (925568) -
        <http://www.microsoft.com/technet/security/advisory/925568.mspx>

      * CVE-2006-3866 -
        <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3866>


  ____________________________________________________________________

    The most recent version of this document can be found at:

      <http://www.us-cert.gov/cas/techalerts/TA06-262A.html>
  ____________________________________________________________________

    Feedback can be directed to US-CERT Technical Staff. Please send
    email to <cert@cert.org> with "TA06-262A Feedback VU#416092" in the
    subject.
  ____________________________________________________________________

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
  ____________________________________________________________________

    Produced 2006 by US-CERT, a government organization.

    Terms of use:

      <http://www.us-cert.gov/legal.html>
  ____________________________________________________________________


Revision History

    Sep 19, 2006: Initial release

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================