Content
(MS07-004) Microsoft VML Buffer Overrun Vulnerability (929969)
- Type
- Buffer Overflow
- Impact of exploitation
- Remote Code Execution
- User Interaction
- user interaction is needed
- Attack Vector
- Website or e-mail with malicious content
- Rating
- High
- CVE reference
- CVE-2007-0024,
- Vendor Status
- Responded and patched
- Vulnerable systems
- Windows XP SP0 - SP2,
- Windows 2003 SP0 - SP1,
- Windows 2000 SP4,
- Internet Explorer 6,
- Internet Explorer 5.01,
- Internet Explorer 7,
- Summary
- A buffer-overflow vulnerability exists in Microsoft Internet Explorer that may allow for remote code execution. A user would have to visit a malicious Website or view a specially-crafted HTML e-mail message for an attack to occur.
Tab Navigation
Description
Microsoft Internet Explorer is a industry-standard web browser. A vulnerability exists in Microsoft Internet Explorer that may allow for remote code execution. A buffer overflow is triggered by specially-crafted Vector Markup Language (VML) content. A user would have to visit a malicious Website or view a specially-crafted HTML e-mail message for an attack to occur. A successful attack would allow code execution at the rights level of the victim's user account.
McAfee Product Mitigation & Recommendations
Recommendations
Download and install the patch available from Microsoft (929969): http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS07-004) Microsoft VML Buffer Overrun Vulnerability (929969)
- Signature identifier:
- 4871
- Release date:
- 1/9/2007
McAfee Intrushield
We have found that McAfee Intrushield is not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Possible Vector Markup Language Exploit
- Signature identifier:
- 0x40230D00
- Release date:
- 1/9/2007
- First released in:
- sigset 3.1.29
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Generic buffer overflow protection
- Signature identifier:
- 428
- Release date:
- 8/24/2000
- First released in:
- 2.0
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft Internet Explorer Vector Markup Language Vulnerability (1)
- Signature identifier:
- 3774
- Release date:
- 10/11/2006
- First released in:
- security content 661
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft Internet Explorer Vector Markup Language Vulnerability (2)
- Signature identifier:
- 3776
- Release date:
- 10/11/2006
- First released in:
- security content 661
McAfee VirusScan Enterprise 8.0i (VSE8.0i) / Managed Virus Scan (MVS) Buffer Overflow Protection
Out of the box, VSE8.0i and MVS protect against many buffer overflow exploits. We have found that VSE8.0i and MVS are protecting against some, but not all known exploits of this vulnerability. McAfee Avert Labs will update DAT coverage for this vulnerability as new threats emerge.
- Signature:
- Buffer Overflow Protection
- Release date:
- 8/30/2004
- First released in:
- build 131
Additional Resources
Microsoft Security Bulletin MS07-004: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969)
http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
Microsoft Windows VML Element Integer Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462
All Information
Timeline -
11/1/2007
An exploit is available to subscribers of Immunity's Canvas toolbox.
1/10/2007
Vendor has supplied information for a non-security related issue
1/9/2007
Vendor has provided a patch.
1/9/2007
Vulnerability information has been publicly disclosed.
Description -
Microsoft Internet Explorer is a industry-standard web browser. A vulnerability exists in Microsoft Internet Explorer that may allow for remote code execution. A buffer overflow is triggered by specially-crafted Vector Markup Language (VML) content. A user would have to visit a malicious Website or view a specially-crafted HTML e-mail message for an attack to occur. A successful attack would allow code execution at the rights level of the victim's user account.
McAfee Product Mitigation & Recommendations
Recommendations -
Download and install the patch available from Microsoft (929969): http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS07-004) Microsoft VML Buffer Overrun Vulnerability (929969)
- Signature identifier:
- 4871
- Release date:
- 1/9/2007
McAfee Intrushield
We have found that McAfee Intrushield is not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Possible Vector Markup Language Exploit
- Signature identifier:
- 0x40230D00
- Release date:
- 1/9/2007
- First released in:
- sigset 3.1.29
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Generic buffer overflow protection
- Signature identifier:
- 428
- Release date:
- 8/24/2000
- First released in:
- 2.0
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft Internet Explorer Vector Markup Language Vulnerability (1)
- Signature identifier:
- 3774
- Release date:
- 10/11/2006
- First released in:
- security content 661
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft Internet Explorer Vector Markup Language Vulnerability (2)
- Signature identifier:
- 3776
- Release date:
- 10/11/2006
- First released in:
- security content 661
McAfee VirusScan Enterprise 8.0i (VSE8.0i) / Managed Virus Scan (MVS) Buffer Overflow Protection
Out of the box, VSE8.0i and MVS protect against many buffer overflow exploits. We have found that VSE8.0i and MVS are protecting against some, but not all known exploits of this vulnerability. McAfee Avert Labs will update DAT coverage for this vulnerability as new threats emerge.
- Signature:
- Buffer Overflow Protection
- Release date:
- 8/30/2004
- First released in:
- build 131
Additional Resources
Additional Resources -
Microsoft Security Bulletin MS07-004: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969)
http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
Microsoft Windows VML Element Integer Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462
