Cisco Security Agent

CSA Protects Against IE VML Buffer Overflow

  • Viewing Options

  • PDF (304.6 KB)
  • Feedback

Product Bulletin No. 367645


A critical "day-zero" vulnerability was announced on September 26, 2006 for Microsoft Windows XP and XP Professional, Windows Server 2003, and Windows Server 2003 x64. The vulnerability is found in the Internet Explorer code base on these platforms and follows Internet Explorer standards for packaging, detection, and deployment [1]. This vulnerability is actively being exploited. Microsoft has released patches for this vulnerability and is recommending that customers patch their affected systems immediately.
This vulnerability has already been exploited in several attacks. Cisco Systems ® has obtained exploit files, and has confirmed that Cisco ® Security Agent is effective in stopping these exploits, using the default security policy configuration. No changes to the default configuration or policy updates were required to receive this protection. Current supported Cisco Security Agent versions 4.0.3.x, 4.5.1.x, 5.0.0.x, and 5.1.0.x are effective in stopping the exploits seen to date.


Microsoft Internet Explorer 5.0 and higher supports Vector Markup Language (VML), which is a set of Extensible Markup Language (XML), tags for drawing vector graphics. Internet Explorer fails to properly handle malformed VML tags, which allows a stack buffer overflow to occur. The CERT advisory [2] states that if a remote attacker can persuade a user to access a specially crafted Webpage with Internet Explorer, that attacker may be able to trigger the buffer overflow. In addition, an attacker could deliver an HTML email message or entice a user to select an HTML document in Windows Explorer.
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.


Cisco Security Agent default policies contain three different rules that stopped the exploit from doing any damage. No changes to the Cisco Security Agent binaries or default configuration are required to get this protection.
The following actions have been observed being blocked by Cisco Security Agent running the default security policies:

• Modification of system files by a suspicious (downloaded) application

• Execution of a system function from a buffer, through a buffer overflow

This testing is shown in Figure 1.
The exploit was tested at Cisco with Cisco Security Agent in Test mode, which does not block malicious behavior. This allows the agent to report all rules that would be applied if the agent was in protect mode, to observe all possible ways that the Cisco Security Agent default policies would stop the exploit. When the agent is in protect mode (the typical operational configuration), the first rule would kill the exploit. No subsequent events would be seen, since the exploit would be terminated before it could perform any malicious actions.
Testing was performed against the Cisco Security Agent default policies. No binary or policy update was needed for Cisco Security Agents to be effective. In short, this was a true test of "day-zero" protection. This is similar to what we have seen with earlier exploits and worms-the default Cisco Security Agent configuration stopped the exploit, with no binary or policy updates required. Following is a partial list of prior worms and exploits that Cisco Security Agent has stopped using the default security policy settings:
This exploit is only the latest example of new and mutating attacks that can seriously affect an organization's computing and network environments. The key to stopping these new attacks is the ability to stop the attack without requiring any changes to the default configuration, and to have multiple rules in the default policies that provide defense in depth.

Figure 1. Cisco Security Agent 5.1 Default Configuration Stops the Microsoft Internet Explorer VML Buffer Overflow Exploit


1. Microsoft Security Advisory 925568:

2. CERT Vulnerability Note VU# 416092: