Microsoft Internet Explorer VML record buffer overflow (HTML_VML_Heap_Overflow)

About this signature or vulnerability

Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor:

This signature detects a heap overflow in a VML document.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Server IPS for Linux technology: 1.94, Proventia Network IPS: XPU 1.94, Proventia Desktop: 1950, Proventia-G 1.1 and earlier: XPU 24.55, Proventia Network MFS: XPU 1.94, BlackICE Server Protection: 3.6.cqa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.1950, BlackICE PC Protection: 3.6cqa, RealSecure Network: XPU 24.55, RealSecure Server Sensor: XPU 24.55

Systems affected

Microsoft Internet Explorer: 6 SP1, Microsoft Internet Explorer: 5.01 SP4, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: Itanium, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: Professional x64, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Internet Explorer: 7

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Internet Explorer is vulnerable to a heap-based buffer overflow in the Microsoft Windows implementation of the Vector Markup Language (VML). By creating a malicious HTML document containing specially-crafted VML records, a remote attacker could overflow a buffer and execute arbitrary code on the system with permissions of the victim, if the attacker could persuade the victim to open the malicious file. An attacker could exploit this vulnerability by hosting the file on a Web site or sending it to a victim as an email attachment.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

Microsoft Security Bulletin MS07-004
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969)
http://www.microsoft.com/technet/security/bulletin/ms07-004.mspx

iDefense Labs PUBLIC ADVISORY: 01.09.07
Microsoft Windows VML Element Integer Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462

US-CERT Vulnerability Note VU#122084
Microsoft Internet Explorer VML buffer overflow
http://www.kb.cert.org/vuls/id/122084

Microsoft Security Bulletin MS07-050
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127)
http://www.microsoft.com/technet/security/bulletin/ms07-050.mspx

Microsoft Security Bulletin MS08-052
Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
http://www.microsoft.com/technet/security/Bulletin/MS08-052.mspx

ISS X-Force
Microsoft Internet Explorer VML record buffer overflow
http://www.iss.net/security_center/static/31287.php

CVE
CVE-2007-0024
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0024