Microsoft Windows VML Element Integer Overflow Vulnerability iDefense Security Advisory 01.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 09, 2007 I. BACKGROUND VML is a component of the Extensible Markup Language (XML) that specifies vector images (e.g., rectangles and ovals). This functionality is implemented by the library "vgx.dll" in Microsoft Windows. More information is available at the following web site. http://www.w3.org/TR/NOTE-VML II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in the Vector Markup Language (VML) support in multiple Microsoft products allows attackers to execute arbitrary code within the context of the user running the vulnerable application. This vulnerability exists due to insufficient input validation within vgx.dll. Two integer properties are multiplied together and no overflow check is performed. This could allow an attacker to force a memory allocation of a smaller amount of memory than is required. When copying user supplied data into the newly allocated memory, it is possible to overwrite a function pointer stored on the heap, which leads to the execution of arbitrary code. III. ANALYSIS Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the user running the vulnerable application. Exploitation would require an attacker to persuade a user to visit a malicious website using Internet Explorer, read a specially crafted e- mail message with Microsoft Outlook, or open a specially crafted document using an affected Microsoft Office application. It is important to note that this vulnerability could be exploited without user interaction via an e-mail message when rendered within Outlook. For example, if a user with the reading pane turned on had Outlook open to an empty in-box when an attack e-mail arrived, exploitation could occur automatically. IV. DETECTION iDefense testing shows that Internet Explorer 6.0 bundled with Windows XP SP2 with all available security patches is vulnerable. Other versions of Internet Explorer, including those with all security updates applied, are also vulnerable. Older versions of Internet Explorer may also vulnerable. Microsoft Outlook with all available updates has been found to be vulnerable. iDefense has identified Microsoft Office products, including Outlook, going back as far as Office 2000 may also vulnerable. V. WORKAROUND iDefense Labs has developed the following workaround: The following registry entry defines the library that implements the vulnerable functionality: [HKEY_CLASSES_ROOT\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\InprocServer32] Changing 'InprocServer32' in this registry entry to 'InprocServer32 -disabled' causes the control that handles InprocServer32 not to load. Completely removing the key also provides the same protection. iDefense strongly recommends that users back up the registry before changing or removing this key. It should also be noted that since the vulnerable component is not an ActiveX control, setting the kill bit does not disable the vulnerable DLL. As a result, setting the kill bit provides no protection against exploitation. For previous vulnerabilities in this component, Microsoft suggested unregistering 'vgx.dll' on Windows XP SP1 and SP2 and Windows 2003 and 2003 SP1 systems. Using the "RegSvr32" program to unregister the dll in question with the following command also unregisters Vgx.dll: regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll" Alternatively, system administrators can deny "Full Access" to the file "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll". The preceding workarounds will provide complete protection, but may prevent proper rendering of documents that rely on VML, such as Microsoft Word, Excel, and PowerPoint documents when saved in HTML format and viewed in IE or another application that uses the affected component. These documents can still be opened in the respective applications and will render correctly. To mitigate the e-mail attack vector, Microsoft recommends that system administrators configure Outlook to view all e-mail messages in plain-text, including those from digitally signed "trusted" sources. Applying this workaround will prevent the rendering or rich content such as images and special formatting. VI. VENDOR RESPONSE Microsoft has addressed this vulnerability with Microsoft Security Bulletin MS07-004. A link to this bulletin can be found below. http://www.microsoft.com/technet/security/bulletin/ms07-004.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0024 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/03/2006 Initial vendor notification 10/03/2006 Initial vendor response 01/09/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Jospeh Moti. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.