Microsoft Internet Explorer VML Code Execution Vulnerability
Secunia Advisory: SA21989
Release Date: 2006-09-19
Critical:
Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
Description:
A vulnerability has been discovered in Microsoft Internet Explorer,
which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error in the processing of Vector
Markup Language (VML) documents. This can be exploited by e.g. tricking
a user into viewing a malicious VML document containing an overly long
"fill" method inside a "rect" tag.
Successful exploitation allows execution of arbitrary code.
NOTE: Reportedly, this is currently being exploited in the wild.
The vulnerability has been confirmed on a fully patched system with
Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may
also be affected.
Solution:
Do not visit untrusted web sites.
Deactivating Active Scripting will prevent exploitation using the
currently known exploit.
Provided and/or discovered by:
Sample exploit provided by Sunbelt Software.
============= PCWorks Mailing List =================
Don't see your post? Check our posting guidelines &
make sure you've followed proper posting procedures,
http://pcworkers.com/rules.htm
Contact list owner <[EMAIL PROTECTED]>
Unsubscribing and other changes: http://pcworkers.com
=====================================================
