Buffer overflow in Internet Explorer vgx.dll (VML flaw)
Causes a denial-of-service (crash) and can allow remote access
There's a previously unknown buffer-overflow vulnerability affecting Internet Explorer. Specifically, the new vulnerability exists within the Vector Markup Language (VML), a component that specifies vector images in an Extensible Markup Language (XML) document within IE. Current attacks try to execute Trojan horse programs that may allow remote access to a compromised system. While JavaScript is not necessary to exploit the vulnerability, the current attacks do use JavaScript. Thus the only workaround is to disable JavaScript within IE.
In response Microsoft has issued a rare, out-of-cycle patch. Microsoft traditionally issues new security patches on the second Tuesday of each month so that system administrators have time to test the patch before rolling it out to desktops on a network. But because details on how to make an exploit for this Internet Explorer have been posted on the Internet and because various third-party security vendors have issued their own patches, Microsoft rushed this patch.
Additional resources:
- Microsoft: Patch MS06-055
- US-CERT Technical Alert: TA06-262A
- US-CERT Vulnerability Note: VU#416092
- FrSIRT: #3679
- Secunia: #21989