MS.Windows.Vector.Markup.Language.Code

NameMS.Windows.Vector.Markup.Language.Code.Execution
Last Updated DateSep 22, 2009
Release DateJan 09, 2007
SeverityCritical
ImpactSystem compromise: Arbitrary code execution.
DescriptionThis indicates an attempt to exploit an integer overflow vulnerability in the Vector Markup Language (VML) support in Microsoft products. This vulnerability may allow remote attackers to execute arbitrary code within the context of the user running the vulnerable application.

The vulnerability is a result of insufficient input validation in vgx.dll. Two integer properties are multiplied together and no overflow check is performed. This could allow an attacker to force allocation of a smaller amount of memory than is required. When copying user supplied data into the newly allocated memory, it is possible to overwrite a function pointer stored on the heap, which can be used to cause the execution of arbitrary code.
Affected ProductsMicrosoft Internet Explorer 5.01
Microsoft Internet Explorer 6.x
Microsoft Internet Explorer 7.x
Recommended ActionsApply patches.

Windows XP SP2:
http://www.microsoft.com/downloads/de...=81FB6A72-AC8A-4B28-905F-A44691D69432

Windows XP Professional x64 Edition:
http://www.microsoft.com/downloads/de...=D06FD167-4F3E-4A2C-B52C-7426DDAD6828

Windows Server 2003 (optionally with SP1):
http://www.microsoft.com/downloads/de...=4FEE481F-DACE-4EAC-9AFE-BC28ADD70CC5

Windows Server 2003 for Itanium-based systems (optionally with SP1):
http://www.microsoft.com/downloads/de...=C517FB85-128E-43DB-A659-38AF32283716

Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloads/de...=FF4A1F24-C1E9-4223-965B-14C4793AAF96

Internet Explorer 5.01 SP4 on Windows 2000 SP4:
http://www.microsoft.com/downloads/de...=B1C7F765-772C-4EEB-9438-BC820CB929E1

Internet Explorer 6 SP1 on Windows 2000 SP4:
http://www.microsoft.com/downloads/de...=922A3569-85D1-4584-9B84-4AA7304C69BB

Internet Explorer 7 on Windows XP SP2:
http://www.microsoft.com/downloads/de...=55A0A6EC-FEFA-40BB-BB6B-3AAB50275A73

Internet Explorer 7 on Windows XP Pro x64 Edition:
http://www.microsoft.com/downloads/de...=B5A8B1F2-6AF0-4F03-989C-C8DE2EACE71D

Internet Explorer 7 on Windows Server 2003 (optionally with SP1):
http://www.microsoft.com/downloads/de...=08E5CD2E-55C0-4AC9-859F-1B24497B31CE

Internet Explorer 7 on Windows Server 2003 for Itanium-based systems (optionally with SP1):
http://www.microsoft.com/downloads/de...=48B4D271-D494-4A5C-ABA8-11B3B4584902

Internet Explorer 7 on Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloads/de...=F9C3E0DE-DB66-4D83-829F-C93052BDB1FA
Common Vulnerabilities and Exposures (CVE)http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0024
Microsoft Bulletin IDMS07-004   http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
Reference/shttp://www.securityfocus.com/bid/21930 (BugTraq)
http://www.vupen.com/english/advisories/ADV/2007 (FrSIRT)
Reference: VID-13754