ID CVE-2010-3971
Summary Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability."
References
Vulnerable Configurations
  • Microsoft Internet Explorer 7
    cpe:2.3:a:microsoft:ie:7
  • Microsoft Internet Explorer 8
    cpe:2.3:a:microsoft:ie:8
CVSS
Base: 9.3 (as of 23-12-2010 - 09:08)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Microsoft Internet Explorer 8 - CSS Parser Denial of Service. CVE-2010-3971. Dos exploit for windows platform
    file exploits/windows/dos/15708.html
    id EDB-ID:15708
    last seen 2016-02-01
    modified 2010-12-08
    platform windows
    port
    published 2010-12-08
    reporter WooYun
    source https://www.exploit-db.com/download/15708/
    title Microsoft Internet Explorer 8 - CSS Parser Denial of Service
    type dos
  • description Internet Explorer CSS Recursive Import Use After Free. CVE-2010-3971. Remote exploit for windows platform
    id EDB-ID:16533
    last seen 2016-02-02
    modified 2011-02-08
    published 2011-02-08
    reporter metasploit
    source https://www.exploit-db.com/download/16533/
    title Microsoft Internet Explorer - CSS Recursive Import Use After Free
  • description Microsoft Internet Explorer 8 - CSS Parser Exploit. CVE-2010-3971. Remote exploit for windows platform
    file exploits/windows/remote/15746.rb
    id EDB-ID:15746
    last seen 2016-02-01
    modified 2010-12-15
    platform windows
    port
    published 2010-12-15
    reporter Nephi Johnson
    source https://www.exploit-db.com/download/15746/
    title Microsoft Internet Explorer 8 - CSS Parser Exploit
    type remote
metasploit via4
description This module exploits a memory corruption vulnerability within Microsoft\'s HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed.
id MSF:EXPLOIT/WINDOWS/BROWSER/MS11_003_IE_CSS_IMPORT
last seen 2019-03-17
modified 2018-10-02
published 2011-02-08
reliability Good
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms11_003_ie_css_import.rb
title MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free
msbulletin via4
bulletin_id MS11-003
bulletin_url
date 2011-02-08T00:00:00
impact Remote Code Execution
knowledgebase_id 2482017
knowledgebase_url
severity Critical
title Cumulative Security Update for Internet Explorer
nessus via4
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS11-003.NASL
    description The remote host is missing Internet Explorer (IE) Security Update 2482017. The remote version of IE is affected by several vulnerabilities that may allow an attacker to execute arbitrary code on the remote host.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 51903
    published 2011-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51903
    title MS11-003: Cumulative Security Update for Internet Explorer (2482017)
  • NASL family Windows
    NASL id SMB_KB2488013.NASL
    description The remote host is missing one of the workarounds referenced in KB 2488013. The remote version of IE reportedly fails to correctly process certain specially crafted Cascading Style Sheets (CSS), which could result in arbitrary code execution on the remote system.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 51587
    published 2011-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51587
    title MS KB2488013: Internet Explorer CSS Import Rule Processing Arbitrary Code Execution
oval via4
accepted 2014-08-25T04:00:18.874-04:00
class vulnerability
contributors
  • name Dragos Prisaca
    organization Symantec Corporation
  • name Josh Turpin
    organization Symantec Corporation
  • name Dragos Prisaca
    organization Symantec Corporation
  • name Maria Mikhno
    organization ALTX-SOFT
  • name Maria Mikhno
    organization ALTX-SOFT
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
  • comment Microsoft Windows XP (32-bit) is installed
    oval oval:org.mitre.oval:def:1353
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows Server 2003 for Itanium is installed
    oval oval:org.mitre.oval:def:1867
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows XP (32-bit) is installed
    oval oval:org.mitre.oval:def:1353
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows Server 2003 for Itanium is installed
    oval oval:org.mitre.oval:def:1867
  • comment Microsoft Internet Explorer 7 is installed
    oval oval:org.mitre.oval:def:627
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
  • comment Microsoft Internet Explorer 7 is installed
    oval oval:org.mitre.oval:def:627
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
  • comment Microsoft Internet Explorer 7 is installed
    oval oval:org.mitre.oval:def:627
  • comment Microsoft Windows XP (32-bit) is installed
    oval oval:org.mitre.oval:def:1353
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Internet Explorer 8 is installed
    oval oval:org.mitre.oval:def:6210
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Internet Explorer 8 is installed
    oval oval:org.mitre.oval:def:6210
  • comment Microsoft Windows 7 (32-bit) is installed
    oval oval:org.mitre.oval:def:6165
  • comment Microsoft Windows 7 x64 Edition is installed
    oval oval:org.mitre.oval:def:5950
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
    oval oval:org.mitre.oval:def:5954
  • comment Microsoft Internet Explorer 8 is installed
    oval oval:org.mitre.oval:def:6210
  • comment Microsoft Windows 7 (32-bit) is installed
    oval oval:org.mitre.oval:def:6165
  • comment Microsoft Windows 7 x64 Edition is installed
    oval oval:org.mitre.oval:def:5950
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
    oval oval:org.mitre.oval:def:5954
  • comment Microsoft Internet Explorer 8 is installed
    oval oval:org.mitre.oval:def:6210
description Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability."
family windows
id oval:org.mitre.oval:def:12382
status accepted
submitted 2011-02-08T14:00:00
title CSS Memory Corruption Vulnerability
version 78
packetstorm via4
data source https://packetstormsecurity.com/files/download/98389/ms11_003_ie_css_import.rb.txt
id PACKETSTORM:98389
last seen 2016-12-05
published 2011-02-10
reporter jduck
source https://packetstormsecurity.com/files/98389/Internet-Explorer-CSS-Recursive-Import-Use-After-Free.html
title Internet Explorer CSS Recursive Import Use After Free
refmap via4
bid 45246
cert-vn VU#634956
confirm http://support.avaya.com/css/P8/documents/100127294
exploit-db
  • 15708
  • 15746
fulldisc 20101208 IE CSS parser dos bug
misc
ms MS11-003
sectrack 1024922
secunia 42510
vupen
  • ADV-2010-3156
  • ADV-2011-0318
saint via4
bid 45246
description Microsoft Internet Explorer CSS Import Use-After-Free Code Execution
id win_patch_ie_v8
osvdb 69796
title ie_css_import
type client
Last major update 18-07-2011 - 22:40
Published 22-12-2010 - 16:00
Last modified 12-10-2018 - 17:58
Back to Top