Microsoft Internet Explorer VML Vulnerability
Original release date: September 19, 2006
Last revised: --
Source: US-CERT
Systems Affected
- Microsoft Windows
- Microsoft Internet Explorer
Overview
A vulnerability in Microsoft Internet Explorer could allow an attacker to take control of your computer.
Solution
Microsoft has not yet released an update to address this vulnerability. From Microsoft Security Advisory (925568):
A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.
Until an update is available, consider the following workarounds.
Disable Binary and Script Behaviors
Follow the steps in Microsoft Security Advisory (925568) under the section titled "Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone."
Do not follow unsolicited links
Do not click on unsolicited URLs, including those received in email, instant messages, web forums, or internet relay chat (IRC) channels.
Description
An attacker could exploit a vulnerability in Internet Explorer Vector Markup Language (VML) by convincing a user to open an HTML document such as a web site or an HTML email message. The attacker could then take any action as the user, including installing malicious software and accessing sensitive personal information.
For more technical information, see Vulnerability Note VU#416092.
References
Feedback can be directed to US-CERT.
