Content
(MS06-055) Microsoft Vector Markup Language Vulnerability (925486)
- Type
- Buffer Overflow
- Impact of exploitation
- Remote Code Execution
- User Interaction
- user interaction is needed
- Attack Vector
- Website or e-mail with malicious content
- Rating
- High
- CVE reference
- CVE-2006-4868,
- Vendor Status
- Responded and patched
- Vulnerable systems
- Windows XP SP0 - SP2,
- Windows 2003 SP0 - SP1,
- Windows 2000 SP4,
- Internet Explorer 6,
- Internet Explorer 5.01,
- Summary
- A vulnerability is present in Microsoft Internet Explorer and Microsoft Outlook that may allow for arbitrary code execution. This could be accomplished by visiting a malicious website or through an HTML email attachment. Exploitation has been seen in the wild.
Tab Navigation
Description
Microsoft Internet Explorer is a industry-standard web browser. Microsoft Outlook is an e-mail client included with the Office business suite. Vector Markup Language allows for display and positioning of vector graphics in HTML in each of these applications. A vulnerability is present in Internet Explorer and Microsoft Office when processing malicious VML content. Code execution could occur as a result of this buffer overflow. Successful exploitation could take the form of two attacks. The first would involve a victim being coerced to an attacker-controlled website. This could allow for drive-by downloading of malicious content without further user interaction. The second attack could occur via a maliciously crafted HTML attachment delivered in email. Exploitation has been detected in the wild.
McAfee Product Mitigation & Recommendations
Recommendations
Download and install the patch available from Microsoft(KB925486): http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS06-055) Microsoft Vector Markup Language Vulnerability (925486)
- Signature identifier:
- 4619
- Release date:
- 9/20/2006
McAfee Intrushield
The following Intrushield User Defined Signature (UDS) detects malware that is known to exploit this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft IE VML Rendering Vulnerability - UDS
- Release date:
- 9/19/2006
McAfee Intrushield
The following Intrushield signature covers exploitation of this vulnerability. We have found that Intrushield is not protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- SMTP Outlook VML Vulnerability
- Signature identifier:
- 0x4040B600
- Release date:
- 9/26/2006
- First released in:
- sigset(s) 3.1.22, 2.1.49, 1.9.66, 1.8.83
McAfee Intrushield
The following Intrushield signature covers exploitation of this vulnerability. We have found that Intrushield is not protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- HTTP IE VML 0-day Remote Code Execution
- Signature identifier:
- 0x4022DF00
- Release date:
- 9/26/2006
- First released in:
- sigset 3.1.22
McAfee Host IPS
This signature provides coverage for this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft Internet Explorer Vector Markup Language Vulnerability (1)
- Signature identifier:
- 3774
- Release date:
- 10/11/2006
- First released in:
- Security Content Update 661
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft Internet Explorer Vector Markup Language Vulnerability (2)
- Signature identifier:
- 3776
- Release date:
- 10/11/2006
- First released in:
- Security Content Update 661
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Generic Buffer Overflow protection
- Signature identifier:
- 412
- Release date:
- 8/24/2000
- First released in:
- 2.0
McAfee VirusScan Enterprise 8.0i (VSE8.0i) / Managed Virus Scan (MVS) Buffer Overflow Protection
Out of the box, VSE8.0i and MVS Buffer Overflow Protection (BOP) protect against many buffer overflow exploits. We have found that VSE8.0i and MVS BOP are not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs has DAT coverage for this vulnerability and will update this coverage as new threats emerge.
- Signature:
- Buffer Overflow Protection
- Release date:
- 8/30/2004
- First released in:
- build 131
McAfee Anti-Virus protection
The following A-V signature detects malware that is know to exploit this vulnerability.
- Signature:
- Exploit-VMLFill
- Release date:
- 9/20/2006
- First released in:
- DAT 4856
Additional Resources
Exploit-VMLFill
http://vil.nai.com/vil/content/v_140629.htm
Microsoft Security Advisory: Vulnerability in Vector Markup Language Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/925568.mspx
Seen in the wild: Zero Day exploit being used to infect PCs
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html
A quick entry on the VML issue.
http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx
Microsoft Security Bulletin: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
All Information
Timeline -
10/3/2006
Exploit code has been released.
9/26/2006
Vendor has provided a patch.
9/25/2006
Exploit code has been released.
9/24/2006
Exploit code has been released.
9/22/2006
The vendor has blogged that they might release an out-of-band patch for this vulnerability
9/21/2006
Exploit code has been released.
9/20/2006
Exploit code has been released.
9/19/2006
Vulnerability information has been publicly disclosed.
9/19/2006
Vendor has provided information on the vulnerability.
9/19/2006
A denial of service proof of concept has been released
9/18/2006
Vulnerability information has been publicly disclosed.
Description -
Microsoft Internet Explorer is a industry-standard web browser. Microsoft Outlook is an e-mail client included with the Office business suite. Vector Markup Language allows for display and positioning of vector graphics in HTML in each of these applications. A vulnerability is present in Internet Explorer and Microsoft Office when processing malicious VML content. Code execution could occur as a result of this buffer overflow. Successful exploitation could take the form of two attacks. The first would involve a victim being coerced to an attacker-controlled website. This could allow for drive-by downloading of malicious content without further user interaction. The second attack could occur via a maliciously crafted HTML attachment delivered in email. Exploitation has been detected in the wild.
McAfee Product Mitigation & Recommendations
Recommendations -
Download and install the patch available from Microsoft(KB925486): http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS06-055) Microsoft Vector Markup Language Vulnerability (925486)
- Signature identifier:
- 4619
- Release date:
- 9/20/2006
McAfee Intrushield
The following Intrushield User Defined Signature (UDS) detects malware that is known to exploit this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft IE VML Rendering Vulnerability - UDS
- Release date:
- 9/19/2006
McAfee Intrushield
The following Intrushield signature covers exploitation of this vulnerability. We have found that Intrushield is not protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- SMTP Outlook VML Vulnerability
- Signature identifier:
- 0x4040B600
- Release date:
- 9/26/2006
- First released in:
- sigset(s) 3.1.22, 2.1.49, 1.9.66, 1.8.83
McAfee Intrushield
The following Intrushield signature covers exploitation of this vulnerability. We have found that Intrushield is not protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- HTTP IE VML 0-day Remote Code Execution
- Signature identifier:
- 0x4022DF00
- Release date:
- 9/26/2006
- First released in:
- sigset 3.1.22
McAfee Host IPS
This signature provides coverage for this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft Internet Explorer Vector Markup Language Vulnerability (1)
- Signature identifier:
- 3774
- Release date:
- 10/11/2006
- First released in:
- Security Content Update 661
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft Internet Explorer Vector Markup Language Vulnerability (2)
- Signature identifier:
- 3776
- Release date:
- 10/11/2006
- First released in:
- Security Content Update 661
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Generic Buffer Overflow protection
- Signature identifier:
- 412
- Release date:
- 8/24/2000
- First released in:
- 2.0
McAfee VirusScan Enterprise 8.0i (VSE8.0i) / Managed Virus Scan (MVS) Buffer Overflow Protection
Out of the box, VSE8.0i and MVS Buffer Overflow Protection (BOP) protect against many buffer overflow exploits. We have found that VSE8.0i and MVS BOP are not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs has DAT coverage for this vulnerability and will update this coverage as new threats emerge.
- Signature:
- Buffer Overflow Protection
- Release date:
- 8/30/2004
- First released in:
- build 131
McAfee Anti-Virus protection
The following A-V signature detects malware that is know to exploit this vulnerability.
- Signature:
- Exploit-VMLFill
- Release date:
- 9/20/2006
- First released in:
- DAT 4856
Additional Resources
Additional Resources -
Exploit-VMLFill
http://vil.nai.com/vil/content/v_140629.htm
Microsoft Security Advisory: Vulnerability in Vector Markup Language Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/925568.mspx
Seen in the wild: Zero Day exploit being used to infect PCs
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html
A quick entry on the VML issue.
http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx
Microsoft Security Bulletin: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
