[ news_security_news ]
VML Flaw Threatens IE
David Utter
Staff Writer
2006-09-19
 Security News RSS Feed
Microsoft's implementation of the Vector Markup Language rendering engine has a vulnerability that could lead to a buffer overflow and execution of arbitrary code.
Sunbelt Software's Eric Sites, VP for research and development, posted about an in-the-wild exploit affecting Internet Explorer. The flaw allows for exploitation of a fully-patched system, triggered by visiting in their example an adult website link to malicious code.
Sites noted how they verified and double-checked the instance running on VMware to ensure it had been fully updated per Microsoft's Baseline Security Analyzer. Despite being patched, the exploit created a buffer overflow and began to run code on the system, installing spyware as it executed.
"This exploit can be mitigated by turning off Javascripting," Sites wrote. (UPDATE! SunBelt's Alex Eckelberry said in an email that disabling JavaScript is no longer a valid mitigation of this exploit, as a new variation of the exploit is in the wild.)
According to the Microsoft Security Response Center blog, an advisory has been posted by the company about the issue.
"Thus far the attacks appear targeted and very limited," the MSRC post noted. "We've actually been working on an update that addresses this vulnerability and our goal is to have it ready for the October release, or before if we see widespread attacks."
As we have noted before, alternatives to IE exist. Opera and Firefox are both freely available web browser options that are unaffected by IE exploits of this nature.
---
Tags: Internet Explorer, VML
Add to  Del.icio.us |  Digg |  Yahoo! My Web |  Furl
Get all the updates in RSS: 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More news_security_news Articles
Security News RSS Feed
|
|
RSS
Archive
Contact Us
Advertise
