search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows VML compressed content integer underflow

Vulnerability Note VU#468800

Original Release Date: 2007-08-14 | Last Revised: 2007-08-17


Microsoft Windows VML fails to properly handle compressed content, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.


Microsoft IE version 5.0 and higher supports the Vector Markup Language (VML), which is a set of XML tags for drawing vector graphics. VGX.DLL provides VML support for Internet Explorer. VGX.DLL contains an integer underflow vulnerability in the handling of compressed VML content.


By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.


Apply an update

This issue is addressed by Microsoft Security Bulletin MS07-050. This bulletin provides an updated version of VGX.DLL.

Until the update can be applied, consider the following workarounds:

Disable VML support

Microsoft Security Bulletin MS07-050 suggests the following technique to disable VML support:

    1. Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.
    2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
    Disable ActiveX

    Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document. 

    Do not follow unsolicited links

    In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

    Disable Active Scripting

    Although this vulnerability does not require Active Scripting to be enabled, known exploits targeting this issue use Active Scripting to place malicious code on a vulnerable system. To block this attack vector, it is recommended that Active Scripting be disabled. For instructions on how to disable Active Scripting in Microsoft Internet Explorer, please refer to the Internet Explorer section of the Securing Your Web Browser document.

    Vendor Information


    Microsoft Corporation Affected

    Updated:  August 14, 2007



    Vendor Statement

    We have not received a statement from the vendor.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.


    This issue is addressed by Microsoft Security Bulletin MS07-050. This bulletin provides an updated version of VGX.DLL.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    CVSS Metrics

    Group Score Vector



    Thanks to Microsoft for reporting this vulnerability, who in turn credit eEye Digital Security.

    This document was written by Will Dormann.

    Other Information

    CVE IDs: CVE-2007-1749
    Severity Metric: 21.04
    Date Public: 2007-08-14
    Date First Published: 2007-08-14
    Date Last Updated: 2007-08-17 12:32 UTC
    Document Revision: 7

    Sponsored by CISA.