Posted on Thursday, December 23 2010 @ 19:32 CET by Thomas De Maesschalck
Microsoft issued a warning that a bug in the handling of Cascading Style Sheet (CSS) code can be exploited to overwrite uninitialised memory and execute arbitrary code. The software giant will take appropriate action to resolve the security bug but at this moment it's unknown whether the flaw will be fixed through the monthly security update release process or an out-of-cycle security update. Users are advised to run IE in Protected Mode and to ensure that their main user account is not configured as a system administrator.
The flaw can be exploited to remotely run code under the account of a logged in user by simply visiting a CSS website that contains malicious code. It's a serious issue, but it's one that Microsoft believes isn't currently being exploited by ne'er-do-wells.
There is no known fix for the flaw at present, although Microsoft reports that it's 'investigating new, public reports of a vulnerability in all supported versions of Internet Explorer, and on completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.'
Source: Bit Tech
