Ravens PHP Scripts

Internet Explorer 8 CSS Parser Exploit
Date: Monday, December 27, 2010 @ 14:09:17 CET
Topic: Security

Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 7 and 8 and possibly other products, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via multiple @import calls in a crafted document.

What is CSharedStyleSheet? When building lengthy websites designers will create several stylesheets each covering a different area of the site. They are then joined together using @import statements. Example @import url("nav.css"); I use this method all the time and it's a method most CMS's use.

Although the above vulnerability is being reported as a result of a Denial Of Service Attack (DoS) it isn't. But it can be exploited. The Critical update is reported in MS10-090; Cumulative Security Update for Internet Explorer (2416400). To check and see if your computer has the patch that was auto installed on Dec 16, 2010 go to Start/Control Panel/Add or Remove Programs. Then scroll down the page until you come to Security Update for Windows Internet Explorer 8 (KB2416400). If you can't find it then you need to install the patch as soon as possible.

Another, easier method of checking to see if your system (SP3) is patched is to go to the Microsoft Update website http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us using IE 6, 7, or 8. Choose high priority updates. You will have to install the current version of ActiveX so that the site can search your system for the updates that are missing. Once if/when it is found that you don't have the patch, you will have the option of installing it or not.

To really get into the inner working of this "Exploit" go here: http://www.breakingpointsystems.com/community/blog/ie-vulnerability/ but before you start reading notice that the author is using MS10-071 on XP SP3 to support the assumption, but this version is not patched. Although MS bulletin 2010-090 refers to the "patched" version of XP (SP3) as I referenced above.

Cheers and keep secure out there.


This article comes from Ravens PHP Scripts

The URL for this story is: