[VulnWatch] iDefense Security Advisory 01.09.07: Multiple Microsoft Products VML 'recolorinfo' Element Integer Overflow Vulnerability

From: iDefense Labs (labs-no-reply@private)
Date: Tue Jan 09 2007 - 11:14:04 PST


Microsoft Windows VML Element Integer Overflow Vulnerability

iDefense Security Advisory 01.09.07
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 09, 2007

I. BACKGROUND

VML is a component of the Extensible Markup Language (XML) that specifies
vector images (e.g., rectangles and ovals). This functionality is
implemented by the library "vgx.dll" in Microsoft Windows. More
information is available at the following web site.

http://www.w3.org/TR/NOTE-VML

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in the Vector
Markup Language (VML) support in multiple Microsoft products allows
attackers to execute arbitrary code within the context of the user running
the vulnerable application.

This vulnerability exists due to insufficient input validation within
vgx.dll. Two integer properties are multiplied together and no overflow
check is performed. This could allow an attacker to force a memory
allocation of a smaller amount of memory than is required. When copying
user supplied data into the newly allocated memory, it is possible to
overwrite a function pointer stored on the heap, which leads to the
execution of arbitrary code.

III. ANALYSIS

Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary code in the context of the user running the vulnerable
application.

Exploitation would require an attacker to persuade a user to visit a
malicious website using Internet Explorer, read a specially crafted e-
mail message with Microsoft Outlook, or open a specially crafted document
using an affected Microsoft Office application.

It is important to note that this vulnerability could be exploited without
user interaction via an e-mail message when rendered within Outlook. For
example, if a user with the reading pane turned on had Outlook open to an
empty in-box when an attack e-mail arrived, exploitation could occur
automatically.

IV. DETECTION

iDefense testing shows that Internet Explorer 6.0 bundled with Windows XP
SP2 with all available security patches is vulnerable. Other versions of
Internet Explorer, including those with all security updates applied, are
also vulnerable. Older versions of Internet Explorer may also vulnerable.

Microsoft Outlook with all available updates has been found to be
vulnerable. iDefense has identified Microsoft Office products, including
Outlook, going back as far as Office 2000 may also vulnerable.

V. WORKAROUND

iDefense Labs has developed the following workaround:

The following registry entry defines the library that implements the
vulnerable functionality:

[HKEY_CLASSES_ROOT\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\InprocServer32]


Changing 'InprocServer32' in this registry entry to 'InprocServer32
-disabled' causes the control that handles InprocServer32 not to load.
Completely removing the key also provides the same protection.

iDefense strongly recommends that users back up the registry before
changing or removing this key.

It should also be noted that since the vulnerable component is not an
ActiveX control, setting the kill bit does not disable the vulnerable DLL.
As a result, setting the kill bit provides no protection against
exploitation.

For previous vulnerabilities in this component, Microsoft suggested
unregistering 'vgx.dll' on Windows XP SP1 and SP2 and Windows 2003 and
2003 SP1 systems. Using the "RegSvr32" program to unregister the dll in
question with the following command also unregisters Vgx.dll:

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

Alternatively, system administrators can deny "Full Access" to the file
"%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll".

The preceding workarounds will provide complete protection, but may
prevent proper rendering of documents that rely on VML, such as Microsoft
Word, Excel, and PowerPoint documents when saved in HTML format and viewed
in IE or another application that uses the affected component. These
documents can still be opened in the respective applications and will
render correctly.

To mitigate the e-mail attack vector, Microsoft recommends that system
administrators configure Outlook to view all e-mail messages in
plain-text, including those from digitally signed "trusted" sources.
Applying this workaround will prevent the rendering or rich content such
as images and special formatting.

VI. VENDOR RESPONSE

Microsoft has addressed this vulnerability with Microsoft Security Bulletin
MS07-004. A link to this bulletin can be found below.

http://www.microsoft.com/technet/security/bulletin/ms07-004.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-0024 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/03/2006  Initial vendor notification
10/03/2006  Initial vendor response
01/09/2007  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Jospeh Moti.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please e-mail
customerservice@private for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, this
information.



This archive was generated by hypermail 2.1.3 : Tue Jan 09 2007 - 13:41:50 PST