=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN503
_____________________________________________________________________

DATE                      : 27/09/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Microsoft Internet Explorer.

======================================================================

                         National Cyber Alert System

                  Technical Cyber Security Alert TA06-262A


Microsoft Internet Explorer VML Buffer Overflow

    Original release date: September 19, 2006
    Last revised: September 26, 2006
    Source: US-CERT


Systems Affected

      * Microsoft Windows
      * Microsoft Internet Explorer


Overview

    Microsoft Internet Explorer (IE) fails to properly handle Vector
    Markup Language (VML) tags. This creates a buffer overflow
    vulnerability that could allow a remote attacker to execute arbitrary
    code.


I. Description

    Microsoft Internet Explorer contains a stack buffer overflow in code
    that handles VML. More information is available in Vulnerability Note
    VU#416092, Microsoft Security Advisory (925568), and Microsoft
    Security Bulletin MS06-055.

    Note that this vulnerability is being exploited.


II. Impact

    By convincing a user to open a specially crafted HTML document, such
    as a web page or HTML email message, a remote attacker could execute
    arbitrary code with the privileges of the user running IE.


III. Solution

Apply update from Microsoft

    Microsoft has provided an update to correct this vulnerability in
    Microsoft Security Bulletin MS06-055.

    This update is available on the Microsoft Update site.

    System administrators may wish to consider using Windows Server Update
    Services (WSUS).

Disable VML support

    Microsoft Security Advisory (925568) suggests the following techniques
    to disable VML support:

      * Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP
        Service Pack 2; Windows Server 2003 and Windows Server 2003
        Service Pack 1

      * Modify the Access Control List on Vgx.dll to be more restrictive

      * Configure Internet Explorer 6 for Microsoft Windows XP Service
        Pack 2 to disable Binary and Script Behaviors in the Internet and
        Local Intranet security zone

    Disabling VML support may cause web sites and applications that use
    VML to function improperly.

Render email as plain text

    Microsoft Security Advisory (925568) suggests configuring Microsoft
    Outlook and Outlook Express to render email messages in plain text
    format.

Do not follow unsolicited links

    In order to convince users to visit their sites, attackers often use
    URL encoding, IP address variations, long URLs, intentional
    misspellings, and other techniques to create misleading links. Do not
    click on unsolicited links received in email, instant messages, web
    forums, or internet relay chat (IRC) channels. Type URLs directly into
    the browser to avoid these misleading links. While these are generally
    good security practices, following these behaviors will not prevent
    exploitation of this vulnerability in all cases, particularly if a
    trusted site has been compromised or allows cross-site scripting.


IV. References

      * Vulnerability Note VU#416092 -
        <http://www.kb.cert.org/vuls/id/416092>

      * Microsoft Security Bulletin MS06-055-
        <http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx>

      * Microsoft Security Advisory (925568) -
        <http://www.microsoft.com/technet/security/advisory/925568.mspx>

      * Securing Your Web Browser-
        <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

      * Microsoft Update - <https://update.microsoft.com/microsoftupdate/>

      * CVE-2006-3866 -
        <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3866>


  ____________________________________________________________________

    The most recent version of this document can be found at:

      <http://www.us-cert.gov/cas/techalerts/TA06-262A.html>
  ____________________________________________________________________

    Feedback can be directed to US-CERT Technical Staff. Please send
    email to <cert@cert.org> with "TA06-262A Feedback VU#416092" in the
    subject.
  ____________________________________________________________________

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
  ____________________________________________________________________

    Produced 2006 by US-CERT, a government organization.

    Terms of use:

      <http://www.us-cert.gov/legal.html>
  ____________________________________________________________________



Revision History

    September 19, 2006: Initial release
    September 21, 2006: Fixed misspelling and removed IE-specific
language from Solution section
    September 26, 2006: Added update information and added a reference
to Microsoft Update

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================