search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Explorer fails to properly interpret HTML with certain layout combinations

Vulnerability Note VU#197852

Original Release Date: 2006-11-15 | Last Revised: 2006-11-17


A vulnerability in the way Microsoft Internet Explorer interprets malformed Web pages may lead to execution of arbitrary code.


Microsoft Internet Explorer contatins a vulnerabilty that could be exploited when Internet Explorer attempts to interpret specially crafted Web pages. According to Microsoft Security Bulletin MS06-067:

When Internet Explorer handles specially crafted HTML with certain HTML layout combinations it may corrupt system memory in such a way that an attacker could execute arbitrary code.


A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the affected user or cause a denial-of-service condition.



Microsoft has released an update to address this issue. See Microsoft Security Bulletin MS06-067 for more details.


Microsoft recommends the following workarounds to mitigate this vulnerability:

    • Read and send email in plain text format
    • Disable active scripting

Please see Microsoft Security Bulletin MS06-067 for details on these workarounds.

Vendor Information


Microsoft Corporation Affected

Updated:  November 14, 2006



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Refer to Microsoft Security Bulletin MS06-067.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was reported in Microsoft Security Bulletin MS06-067. Microsoft credits Sam Thomas, working with TippingPoint and the Zero Day Initiative for reporting this issue.

This document was written by Chris Taschner.

Other Information

CVE IDs: CVE-2006-4687
Severity Metric: 27.00
Date Public: 2006-11-14
Date First Published: 2006-11-15
Date Last Updated: 2006-11-17 18:22 UTC
Document Revision: 18

Sponsored by CISA.