Microsoft Internet Explorer VML Code Execution Vulnerability
Secunia Advisory: SA21989
Release Date: 2006-09-19
Critical:
Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
Description:
A vulnerability has been discovered in Microsoft Internet
Explorer,
which can be exploited by malicious people to compromise a
user's system.
The vulnerability is caused due to an error in the
processing of Vector
Markup Language (VML) documents. This can be exploited by
e.g. tricking
a user into viewing a malicious VML document containing an
overly long
"fill" method inside a "rect" tag.
Successful exploitation allows execution of arbitrary code.
NOTE: Reportedly, this is currently being exploited in the
wild.
The vulnerability has been confirmed on a fully patched
system with
Internet Explorer 6.0 and Microsoft Windows XP SP2. Other
versions may
also be affected.
Solution:
Do not visit untrusted web sites.
Deactivating Active Scripting will prevent exploitation
using the
currently known exploit.
Provided and/or discovered by:
Sample exploit provided by Sunbelt Software.
============= PCWorks Mailing List =================
Don't see your post? Check our posting guidelines &
make sure you've followed proper posting procedures,
http://pcworkers.com/r
ules.htm
Contact list owner <owner-pcworks imagicomm.com>
Unsubscribing and other changes: http://pcworkers.com
=====================================================
|