Microsoft Internet Explorer layout-grid-char Style Property Use-After-Free Memory Corruption

Added: 09/19/2011
CVE: CVE-2011-1260
BID: 48208
OSVDB: 72950

Background

Cascading Style Sheets (CSS) is a simple mechanism for adding style to web documents.

Problem

A use-after-free vulnerability exists in Microsoft's Internet Explorer layout engine (in mshtml.dll) when handling extra-large values for the layout-grid-char property. The resultant memory corruption can be exploited by a remote, unauthenticated attacker to execute arbitrary code in the context of the currently logged in user.

Resolution

Apply a patch as described in Microsoft Security Bulletin MS11-050.

References

http://www.zerodayinitiative.com/advisories/ZDI-11-194/
http://secunia.com/advisories/44914/

Limitations

Exploit works on Internet Explorer 8 on Microsoft Windows SP3 English with security update KB959426, and requires a user to open the exploit page in Internet Explorer.

Platforms

Windows XP

Back to exploit index