9.3 - VU#468800

Executive Summary

Summary
Title	Microsoft Windows VML compressed content integer underflow

Informations
Name	VU#468800	First vendor Publication	2007-08-14
Vendor	VU-CERT	Last vendor Modification	2007-08-17
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#468800

Microsoft Windows VML compressed content integer underflow

Overview

Microsoft Windows VML fails to properly handle compressed content, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Microsoft IE version 5.0 and higher supports the Vector Markup Language (VML), which is a set of XML tags for drawing vector graphics. VGX.DLL provides VML support for Internet Explorer. VGX.DLL contains an integer underflow vulnerability in the handling of compressed VML content.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.

III. Solution

Apply an update

This issue is addressed by Microsoft Security Bulletin MS07-050. This bulletin provides an updated version of VGX.DLL.

Until the update can be applied, consider the following workarounds:

Disable VML support

Microsoft Security Bulletin MS07-050 suggests the following technique to disable VML support:

Click Start, click Run, type "%SystemRoot%System32 egsvr32.exe" -u "%CommonProgramFiles%Microsoft SharedVGXvgx.dll", and then click OK.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Disable Active Scripting

Although this vulnerability does not require Active Scripting to be enabled, known exploits targeting this issue use Active Scripting to place malicious code on a vulnerable system. To block this attack vector, it is recommended that Active Scripting be disabled. For instructions on how to disable Active Scripting in Microsoft Internet Explorer, please refer to the Internet Explorer section of the Securing Your Web Browser document.

Systems Affected

Vendor	Status	Date Updated
Microsoft Corporation	Vulnerable	14-Aug-2007

References

http://www.us-cert.gov/reading_room/securing_browser/
http://www.microsoft.com/technet/security/bulletin/ms07-050.mspx
http://research.eeye.com/html/advisories/published/AD20070814a.html
http://www.iss.net/threats/273.html
http://secunia.com/advisories/26409/

Credit

Thanks to Microsoft for reporting this vulnerability, who in turn credit eEye Digital Security.

This document was written by Will Dormann.

Other Information

Date Public	08/14/2007
Date First Published	08/14/2007 04:56:23 PM
Date Last Updated	08/17/2007
CERT Advisory
CVE Name	CVE-2007-1749
Metric	21.04
Document Revision	7

Original Source

Url : http://www.kb.cert.org/vuls/id/468800

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:1784

Oval ID:	oval:org.mitre.oval:def:1784
Title:	VML Buffer Overrun Vulnerability
Description:	Integer underflow in the CDownloadSink class code in the Vector Markup Language (VML) component (VGX.DLL), as used in Internet Explorer 5.01, 6, and 7 allows remote attackers to execute arbitrary code via compressed content with an invalid buffer size, which triggers a heap-based buffer overflow.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2007-1749	Version:	6
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista	Product(s):	Microsoft Internet Explorer
Definition Synopsis:
IE 5.01,SP4 on Win2k,SP4 Microsoft Windows 2000 SP4 or later is installed AND Microsoft Internet Explorer 5.01 SP4 is installed AND the version of vgx.dll is less than 5.0.3854.2500 OR IE 6 on Win 2k, SP4 Microsoft Windows 2000 SP4 or later is installed AND Internet Explorer 6 Service Pack 1 is installed AND the version of vgx.dll is less than 6.0.2800.1599 OR IE 6 on Win XP SP2 Microsoft Windows XP SP2 or later is installed AND Microsoft Internet Explorer 6 is installed AND the version of vgx.dll is less than 6.0.2900.3164 OR IE 7 on Win XP SP2 Microsoft Windows XP SP2 or later is installed AND Microsoft Internet Explorer 7 is installed AND the version of vgx.dll is less than 7.0.6000.20628 OR IE 6 on Win XP SP1 (64-bit) Microsoft Windows XP SP1 (64-bit) is installed AND Microsoft Internet Explorer 6 is installed AND the version of vgx.dll is less than 6.0.3790.2962 OR IE 6 on Win XP SP2 (64-bit) Microsoft Internet Explorer 6 is installed AND the version of vgx.dll is less than 6.0.3790.4106 AND Microsoft Windows XP x64 Edition SP2 is installed OR IE 7 on Win XP (64-bit) IF Microsoft Windows XP SP1 (64-bit) is installed AND Microsoft Windows XP x64 Edition SP2 is installed AND Microsoft Internet Explorer 7 is installed AND the version of vgx.dll is less than 7.0.6000.20628 OR IE 6 on Win S03 SP1 IF Microsoft Windows Server 2003 SP1 (x86) is installed AND Microsoft Windows Server 2003 (x64) is installed AND Microsoft Windows Server 2003 SP1 for Itanium is installed AND Microsoft Internet Explorer 6 is installed AND the version of vgx.dll is less than 6.0.3790.2962 OR IE 6 on Win S03 SP2 IF Microsoft Windows Server 2003 SP2 (x86) is installed AND Microsoft Windows Server 2003 SP2 (x64) is installed AND Microsoft Windows Server 2003 (ia64) SP2 is installed AND Microsoft Internet Explorer 6 is installed AND the version of vgx.dll is less than 6.0.3790.4106 OR IE 7 on S03 Windows XP (64-bit,SP1) or Server 2003 (SP1) is installed Microsoft Windows Server 2003 SP1 (x86) is installed AND Microsoft Windows Server 2003 SP2 (x86) is installed AND Microsoft Internet Explorer 7 is installed AND the version of vgx.dll is less than 7.0.6000.20628 OR IE 7 on Vista Microsoft Windows Vista is installed AND Microsoft Internet Explorer 7 is installed AND the version of vgx.dll is less than 7.0.6000.16513

CPE : Common Platform Enumeration

Type	Description	Count
Application	Microsoft Internet Explorer cpe:2.3:a:microsoft:internet_explorer:7:::::::* cpe:2.3:a:microsoft:internet_explorer:6:::::::* cpe:2.3:a:microsoft:internet_explorer:5.01:::::::*	3

OpenVAS Exploits

Date	Description
2010-07-08	Name : Microsoft Windows Vector Markup Language Buffer Overflow (938127) File : nvt/ms07-050.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
36390	Microsoft Windows Vector Markup Language (VML) VGX.DLL CDownloadSink Class Ov...

Information Assurance Vulnerability Management (IAVM)

Date	Description
2007-08-16	IAVM : 2007-A-0045 - Microsoft Internet Explorer Vector Markup Language Remote Code Execution Vuln... Severity : Category II - VMSKEY : V0014825

Snort® IPS/IDS

Date	Description
2014-01-10	Microsoft Internet Explorer VML source file memory corruption attempt RuleID : 12282 - Revision : 13 - Type : BROWSER-IE
2014-01-10	Microsoft Internet Explorer VML source file memory corruption attempt RuleID : 12281 - Revision : 13 - Type : BROWSER-IE
2014-01-10	Microsoft Internet Explorer VML source file memory corruption attempt RuleID : 12280 - Revision : 17 - Type : BROWSER-IE

Nessus® Vulnerability Scanner

Date	Description
2007-08-14	Name : Arbitrary code can be executed on the remote host through the email client or... File : smb_nt_ms07-050.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2015-05-08 13:28:03	Multiple Updates
2013-05-11 12:26:37	Multiple Updates

Global Informations

Type	Count
Oval ID(s)	1
CPE ID(s)	3
osvdb(s)	1
Openvas Exploit(s)	1
IAVM(s)	1
Snort® Rule(s)	3
Nessus® Exploit(s)	1

	Related
9.3	MS07-050
9.3	CVE-2007-1749
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)