Microsoft Internet Explorer CSS use-after-free vulnerability

2010-12-13T00:00:00
ID VU:634956
Type cert
Reporter CERT
Modified 2011-02-08T18:25:00

Description

Overview

Microsoft Internet Explorer contains a use-after-free vulnerability in the handling of CSS, which may allow a remote, unauthenticated attacker to execute arbitrary code.

Description

Microsoft Internet Explorer contains a vulnerability caused by a use-after-free error within the mshtml.dll library. This vulnerability can be exploited when processing a web page referencing a Cascading Style Sheet (CSS) file that includes various @import rules. We have confirmed that Internet Explorer 6, 7, and 8 are affected.

Exploit code for this vulnerability is publicly available.


Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user.


Solution

Apply an update

This issue is addressed in Microsoft Security Bulletin MS11-003.


Enable Data Execution Prevention (DEP) on Internet Explorer

Microsoft has published information on DEP as a mitigation for Internet Explorer vulnerabilities. DEP should not be treated as a complete workaround, but DEP can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. Use of DEP should be considered in conjunction with other mitigations described in this document.

Set the Internet zone security setting to "High"

Setting the Internet zone security setting to "High" will result in the user being prompted before running ActiveX controls and Active Scripting, which may reduce the risk of certain attack vectors. See Securing Your Web Browser for more information.

Disable Active Scripting

Disabling Active Scripting will prevent Active Scripting from running, which may reduce the risk of certain attack vectors. See Securing Your Web Browser for more information.

Modify Internet Explorer CSS style sheet importing

Microsoft has published information as a mitigation for this vulnerability. According to Microsoft: "This change causes Internet Explorer to refuse to import a CSS style sheet if it has the same URL as the CSS style sheet from which it is being loaded."


Vendor Information

634956

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ Microsoft Corporation

Notified: December 13, 2010 Updated: February 08, 2011

Status

__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://www.microsoft.com/technet/security/bulletin/ms11-003.mspx>
  • <http://blogs.technet.com/b/srd/archive/2011/01/11/new-workaround-included-in-security-advisory-2488013.aspx>
  • <http://www.microsoft.com/technet/security/advisory/2488013.mspx>

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://www.microsoft.com/technet/security/advisory/2488013.mspx>
  • <http://threatpost.com/en_us/blogs/new-remotely-exploitable-bug-found-internet-explorer-121010>
  • <http://www.breakingpointsystems.com/community/blog/ie-vulnerability/>
  • <http://www.wooyun.org/bugs/wooyun-2010-0885>
  • <http://seclists.org/fulldisclosure/2010/Dec/110>
  • <http://secunia.com/advisories/42510>
  • <http://blogs.technet.com/b/srd/archive/2011/01/11/new-workaround-included-in-security-advisory-2488013.aspx>
  • <http://www.microsoft.com/technet/security/bulletin/ms11-003.mspx>

Acknowledgements

WooYun publicly reported this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:* | CVE-2010-3971
---|---
**Severity Metric:
| 14.65
*Date Public:
| 2010-12-10
Date First Published: | 2010-12-13
Date Last Updated: | 2011-02-08 18:25 UTC
Document Revision: | 29