ALERT: Microsoft IE VML Buffer Overflow Vulnerability

From: Allison Henry <akhenry_at_berkeley.edu>
Date: Fri Sep 22 2006 - 12:21:42 PDT

There is a vulnerability in Microsoft Internet Explorer that can be
exploited by an attacker to execute arbitrary code on the target system.
Systems can become exploited when browsing to web pages infected with
the malicious code. These infected web pages are now becoming more
widespread, and in response SNS is advising all campus users to take
measures to mitigate this threat. There is no patch available for this
vulnerability yet, but the following actions can be taken to reduce the
risk to your systems (for a layered approach take as many of these
actions as is appropriate in your environment):

1) Make sure all systems are running anti-virus software with current
definitions and auto-update enabled.

2) Unregister the vulnerable dll: Click Start, click Run, type: regsvr32
-u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll" and then
click OK (highly recommended, but may cause problems viewing the few
websites that render VML).

3) Configure IE6 for Windows XP SP2 to disable Binary and Script
behaviors (check Microsoft's advisory page:
http://www.microsoft.com/technet/security/advisory/925568.mspx for
details on how to do this).

4) Use an alternate web browser until a patch is issued by Microsoft.

5) Configure your email client to display mail as plain text rather than
HTML (an HTML email containing the malicious code can also be a vector).

6) Use care when browsing -- do not follow untrusted links sent via
email or suspicious links from other sites (but do not rely on this for
protection as previously safe sites could become infected with the
malicious code).

For more information about this vulnerability:

http://www.microsoft.com/technet/security/advisory/925568.mspx
http://www.kb.cert.org/vuls/id/416092
http://www.symantec.com/enterprise/security_response/vulnerability.jsp?bid=20096 

-- 
Allison Henry
System and Network Security
University of California, Berkeley
http://security.berkeley.edu
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Fri Sep 22 12:24:36 2006

This archive was generated by hypermail 2.1.8 : Fri Sep 22 2006 - 12:24:37 PDT