Security Alerts
September 28, 2006
Microsoft Releases Sept 2006 Security Update for Vector Markup Language Vulnerability
Summary
On September 28, 2006, Microsoft released a security update, Security Bulletin MS06-055 (925486), to address a critical security vulnerability in the Vector Markup Language (VML) which can lead to remote code execution and system compromise. An attacker could exploit the vulnerability by constructing a rogue Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the email message leading to the web site. It is important this patch be applied immediately because of the ease which the vulnerability can be exploited from the Internet. The affected operating systems and application platforms are:
Windows XP Service Pack 2 (all versions) and Windows XP Professional x64
Internet Explorer 6 Service Pack 1 for Windows XP Service Pack (all versions)
Internet Explorer 6 Service Pack 1 for Windows 2000 Service Pack 4 (all versions)
Internet Explorer 5.01 Service Pack 4 on Windows 2000 (all versions)
What to Do
Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. Stanford's BigFix infrastructure is currently delivering this patch as of this writing. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.
Technical Details
This is a remote code execution vulnerability in the Vector Markup Language (VML) implementation in Microsoft Windows. This is caused by an unchecked buffer in the VML. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message.
If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.
In an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability. Instead users would have to either click on a link that would take them to a malicious Web site or open an attachment to be at risk from this vulnerability.
This vulnerability requires that a user is logged on and reading e-mail messages or is visiting Web sites for any malicious action to occur. Therefore, any systems where e-mail messages are read or where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Systems that are not typically used to visit Web sites, such as most server systems, are at a reduced risk.
References
Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx