Buffer overflow in Vector Markup Language (VML) library file used by Microsoft Internet Explorer and Outlook.
Please read our release notes and testing methodology prior to downloading the patch.
Here we specify under what configuration the patch was tested, as well as our testing methodology and versions of of your software which are not vulnerable to this exploit: Test Notes
By downloading this patch you agree that the patch is a non-vendor supplied patch and you are using this patch of your own accord. You also agree ISOTF/ZERT supplies this patch on an AS-IS basis and that you are using this patch at your own risk.
A ZERT patch has just been made available for unsupported system versions (Windows 9x to 2000 SP3 and XP SP0).
For our original patch, it is IMPORTANT to rollback the ZERT patch, before OR after the Microsoft patch for it to work. Enter our test page again through this download page to make sure you are secure.
To download the patch for unsupported system versions (Windows 9x to 2000 SP3 and XP SP0), released under the GPL license, follow the link:
zert2006-01Win98.zip
(Size: 176KB, MD5 sum: 2bdd565b75d997202ff50deb502e5581)
Our original patch is no longer available due to the release of a vendor patch:
zert2006-01.zip (60KB md5: 78721c4a3b2493c13c8bb0c3f9d9786b)
This archive contains GUI and command-line versions of the patch, a readme, the GPL license and source code.
You need to close Internet Explorer, Outlook and other programs that may be using the DLL before you attempt to patch.
After installing this patch you can test your IE browser by visiting a special page. A patched browser will not crash when it visits this page.
If your browser shows a red-square when visiting the page, your browser is patched or does not need the patch.
Warning! If you visit the above test page with an unpatched version of Internet Explorer it will crash.
It is important to rollback the ZERT patch (unpatch - remove our patch) before or after applying the vendor patch.
We unregister the vulnerable DLL, replace the vulnerable function and register patchedvgx.dll as the handler for VML.
A Microsoft patch would potentially fix a DLL not being used, so unpatching is important at that stage. We enable complete rollback in our patch.
Before installing the patch you must close both Internet Explorer and Outlook.
To install the patch first extract the folder, ZPatch, from the archive.
You may use either the GUI interface which is located
in ZPatch\Release or the command line version with is located in
Zpatch\Console\Release.
The archive includes a Microsoft Visual Studio project for each version of the patch.
To use the patch, run the GUI executable and click on "Patch". To remove the patch click on "Rollback".
For the command prompt version, use --patch and --unpatch respectively.
When patching an AMD64 system, browse (by clicking on Br) and choose the DLL manually.