Thread-topic: iDefense Security Advisory 01.09.07: Multiple Microsoft ProductsVML 'recolorinfo' Element Integer Overflow Vulnerability
> -----Original Message-----
> From:
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Tuesday, January 09, 2007 10:14 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 01.09.07: Multiple
> Microsoft ProductsVML 'recolorinfo' Element Integer Overflow
> Vulnerability
>
> Microsoft Windows VML Element Integer Overflow Vulnerability
>
> iDefense Security Advisory 01.09.07
>
> Jan 09, 2007
>
> I. BACKGROUND
>
> VML is a component of the Extensible Markup Language (XML)
> that specifies
> vector images (e.g., rectangles and ovals). This functionality is
> implemented by the library "vgx.dll" in Microsoft Windows. More
> information is available at the following web site.
>
>
>
> II. DESCRIPTION
>
> Remote exploitation of an integer overflow vulnerability in the Vector
> Markup Language (VML) support in multiple Microsoft products allows
> attackers to execute arbitrary code within the context of the
> user running
> the vulnerable application.
>
> This vulnerability exists due to insufficient input validation within
> vgx.dll. Two integer properties are multiplied together and
> no overflow
> check is performed. This could allow an attacker to force a memory
> allocation of a smaller amount of memory than is required.
> When copying
> user supplied data into the newly allocated memory, it is possible to
> overwrite a function pointer stored on the heap, which leads to the
> execution of arbitrary code.
>
> III. ANALYSIS
>
> Successful exploitation of this vulnerability would allow an
> attacker to
> execute arbitrary code in the context of the user running the
> vulnerable
> application.
>
> Exploitation would require an attacker to persuade a user to visit a
> malicious website using Internet Explorer, read a specially crafted e-
> mail message with Microsoft Outlook, or open a specially
> crafted document
> using an affected Microsoft Office application.
>
> It is important to note that this vulnerability could be
> exploited without
> user interaction via an e-mail message when rendered within
> Outlook. For
> example, if a user with the reading pane turned on had
> Outlook open to an
> empty in-box when an attack e-mail arrived, exploitation could occur
> automatically.
>
> IV. DETECTION
>
> iDefense testing shows that Internet Explorer 6.0 bundled
> with Windows XP
> SP2 with all available security patches is vulnerable. Other
> versions of
> Internet Explorer, including those with all security updates
> applied, are
> also vulnerable. Older versions of Internet Explorer may also
> vulnerable.
>
> Microsoft Outlook with all available updates has been found to be
> vulnerable. iDefense has identified Microsoft Office
> products, including
> Outlook, going back as far as Office 2000 may also vulnerable.
>
> V. WORKAROUND
>
> iDefense Labs has developed the following workaround:
>
> The following registry entry defines the library that implements the
> vulnerable functionality:
>
> [HKEY_CLASSES_ROOT\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E
> }\InprocServer32]
>
>
> Changing 'InprocServer32' in this registry entry to 'InprocServer32
> -disabled' causes the control that handles InprocServer32 not to load.
> Completely removing the key also provides the same protection.
>
> iDefense strongly recommends that users back up the registry before
> changing or removing this key.
>
> It should also be noted that since the vulnerable component is not an
> ActiveX control, setting the kill bit does not disable the
> vulnerable DLL.
> As a result, setting the kill bit provides no protection against
> exploitation.
>
> For previous vulnerabilities in this component, Microsoft suggested
> unregistering 'vgx.dll' on Windows XP SP1 and SP2 and Windows 2003 and
> 2003 SP1 systems. Using the "RegSvr32" program to unregister
> the dll in
> question with the following command also unregisters Vgx.dll:
>
> regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
>
> Alternatively, system administrators can deny "Full Access"
> to the file
> "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll".
>
> The preceding workarounds will provide complete protection, but may
> prevent proper rendering of documents that rely on VML, such
> as Microsoft
> Word, Excel, and PowerPoint documents when saved in HTML
> format and viewed
> in IE or another application that uses the affected component. These
> documents can still be opened in the respective applications and will
> render correctly.
>
> To mitigate the e-mail attack vector, Microsoft recommends that system
> administrators configure Outlook to view all e-mail messages in
> plain-text, including those from digitally signed "trusted" sources.
> Applying this workaround will prevent the rendering or rich
> content such
> as images and special formatting.
>
> VI. VENDOR RESPONSE
>
> Microsoft has addressed this vulnerability with Microsoft
> Security Bulletin
> MS07-004. A link to this bulletin can be found below.
>
>
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-0024 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 10/03/2006 Initial vendor notification
> 10/03/2006 Initial vendor response
> 01/09/2007 Coordinated public disclosure
>
> IX. CREDIT
>
> This vulnerability was reported to iDefense by Jospeh Moti.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2006 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically.
> It may not be edited in any way without the express written consent of
> iDefense. If you wish to reprint the whole or any part of
> this alert in
> any other medium other than electronically, please e-mail
> customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be
> accurate at
> the time of publishing based on currently available
> information. Use of
> the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or
> reliance on, this
> information.
>
> _______________________________________________
> To unsubscribe, go here:
>
>
