Cited from FRSIRT - parts excluded due to forum rules (namely other reference URLs)
...
Advisory ID : FrSIRT/ADV-2006-3679 CVE ID : CVE-2006-3866 Rated as : Critical Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2006-09-19
Technical Description
A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to crash a vulnerable browser or take complete control of an affected system. This flaw is due to a buffer overflow error in the Microsoft Vector Graphics Rendering library (Vgx.dll) when processing Vector Markup Language (VML) documents containing a "rect" shape with an overly long "fill" method, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by convincing a user to visit a malicious Web page.
FrSIRT has confirmed this vulnerability on a fully patched Windows XP SP2 system. This issue is currently being exploited in the wild by malicious web sites.
Affected Products
Microsoft Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1 Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2 Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1 Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 (Itanium) Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 (Itanium) Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition Microsoft Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition
Solution
The FrSIRT is not aware of any official supplied patch for this issue.
Disable Active Scripting in the Internet and Local intranet security zones :
- In Internet Explorer, click Internet Options on the Tools menu - Click the Security tab - Click Internet, and then click Custom Level - Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK - Click Local intranet, and then click Custom Level - Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK - If you are prompted to confirm that you want to change these settings, click Yes - Click OK to return to Internet Explorer
Note : Disabling Active Scripting may cause some Web sites to work incorrectly.
I would never use IE, and use Firefox. It's faster, more stable, and is patched/modified all the time by people who care about it - not people who want to make $ off of it like Microsoft does.
Firefox > IE
I'm in the process of starting a project that J mentioned to me a bit ago - I'm working on writing a browser in DarkBasic which won't have any issues that IE does due to it being based on a completely different graphics set, and isn't recycled code.
I've told people for years not to use IE. Every other week someone finds a glitch in it to cause problems and exploit your PC. I upgraded to IE7 just in case, but I don't even use it.
Firefox and Opera, and I'm sure other browsers, are totally free. Plus they upgrade often.
Report threads that break rules, are offensive, or contain fighting. Staff may not be aware of the forum abuse, and cannot do anything about it unless you tell us about it. click to report forum abuse »
If one of the comments is offensive, please report the comment instead (there is a link in each comment to report it).
...
Advisory ID : FrSIRT/ADV-2006-3679
CVE ID : CVE-2006-3866
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-09-19
Technical Description
A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to crash a vulnerable browser or take complete control of an affected system. This flaw is due to a buffer overflow error in the Microsoft Vector Graphics Rendering library (Vgx.dll) when processing Vector Markup Language (VML) documents containing a "rect" shape with an overly long "fill" method, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by convincing a user to visit a malicious Web page.
FrSIRT has confirmed this vulnerability on a fully patched Windows XP SP2 system. This issue is currently being exploited in the wild by malicious web sites.
Affected Products
Microsoft Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
Microsoft Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition
Solution
The FrSIRT is not aware of any official supplied patch for this issue.
Disable Active Scripting in the Internet and Local intranet security zones :
- In Internet Explorer, click Internet Options on the Tools menu
- Click the Security tab
- Click Internet, and then click Custom Level
- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK
- Click Local intranet, and then click Custom Level
- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK
- If you are prompted to confirm that you want to change these settings, click Yes
- Click OK to return to Internet Explorer
Note : Disabling Active Scripting may cause some Web sites to work incorrectly.