Microsoft Internet Explorer layout-grid-char Style Property Use-After-Free Memory Corruption

2011-09-19T00:00:00
ID SAINT:2D6E0CA4170203B22C609949EFF30188
Type saint
Reporter SAINT Corporation
Modified 2011-09-19T00:00:00

Description

Added: 09/19/2011
CVE: CVE-2011-1260
BID: 48208
OSVDB: 72950

Background

Cascading Style Sheets (CSS) is a simple mechanism for adding style to web documents.

Problem

A use-after-free vulnerability exists in Microsoft's Internet Explorer layout engine (in mshtml.dll) when handling extra-large values for the layout-grid-char property. The resultant memory corruption can be exploited by a remote, unauthenticated attacker to execute arbitrary code in the context of the currently logged in user.

Resolution

Apply a patch as described in Microsoft Security Bulletin MS11-050.

References

<http://www.zerodayinitiative.com/advisories/ZDI-11-194/>
<http://secunia.com/advisories/44914/>

Limitations

Exploit works on Internet Explorer 8 on Microsoft Windows SP3 English with security update KB959426, and requires a user to open the exploit page in Internet Explorer.

Platforms

Windows XP