-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-262A
Microsoft Internet Explorer VML Vulnerability
Original release date: September 19, 2006
Last revised: September 26, 2006
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
Overview
A vulnerability in Microsoft Internet Explorer could allow an
attacker to take control of your computer.
Solution
Apply Update
Microsoft has provided an update to address this vulnerability. To
obtain this update, visit the Microsoft Update web site.
We also recommends enabling Automatic Updates.
Until the update can be applied, consider the following
workarounds.
Disable Binary and Script Behaviors
Follow the steps in Microsoft Security Advisory (925568) under the
section titled "Configure Internet Explorer 6 for Microsoft Windows
XP Service Pack 2 to disable Binary and Script Behaviors in the
Internet and Local Intranet security zone."
Do not follow unsolicited links
Do not click on unsolicited URLs, including those received in
email, instant messages, web forums, or internet relay chat (IRC)
channels.
Description
An attacker could exploit a vulnerability in Internet Explorer
Vector Markup Language (VML) by convincing a user to open an HTML
document such as a web site or an HTML email message. The attacker
could then take any action as the user, including installing
malicious software and accessing sensitive personal information.
For more technical information, see Vulnerability Note VU#416092.
References
* Vulnerability Note VU#416092 -
<http://www.kb.cert.org/vuls/id/416092>
* Microsoft Security Bulletin MS06-055 -
<http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* Microsoft Security Advisory (925568) -
<http://www.microsoft.com/technet/security/advisory/925568.mspx>
* 4 steps to help ward off hackers and attackers -
<http://www.microsoft.com/athome/security/online/browsing_safety.mspx>
* Microsoft Security Essentials -
<http://www.microsoft.com/protect/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-262A.html>
____________________________________________________________________
Feedback can be directed to US-CERT. Please send email to
<cert@cert.org> with "SA06-262A Feedback VU#416092" in the subject.
____________________________________________________________________
Mailing list information:
<http://www.us-cert.gov/cas/>
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
September 19, 2006: Initial release
September 26, 2006: Added update information and added a reference to
Microsoft's update
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRRm0dexOF3G+ig+rAQJDmAf+PD1oiz5JBzwtgcsyCKOFDpUG+wHrw3SB
NUpnelbOo0HzygYZ4ug5tKuo60XMghRyq+oUqAU7G9WsHu+8MeyNHuOSlarAOO2f
JxvLG1EqHoVbL7gIEeJ0OzSz8eZrrfefTbcjR0dF5fc+qPK2sSfVLxbgIyXM7uD+
FQ5MVkFQhLOxE7Y0EQTa8gdEzNNFxvGPXcMkohEoY/WL076JyTTc02xro0FN9zAy
Icq/76MeDGsNrdfWerYtZBGjO03gWhq/0IeiIQ8G4OPCvuFq7heaKjHgssOoaSOm
I5ElIOfas09L10N6hU4Irfy+gpMkQLvZAAwzg4tGvh/i6xdyN16wQw==
=oSJn
-----END PGP SIGNATURE-----
