MS KB2488013: Internet Explorer CSS Import Rule Processing Arbitrary Code Execution

This script is Copyright (C) 2011-2017 Tenable Network Security, Inc.


Synopsis :

Arbitrary code can be executed on the remote host through a web
browser.

Description :

The remote host is missing one of the workarounds referenced in KB
2488013.

The remote version of IE reportedly fails to correctly process certain
specially crafted Cascading Style Sheets (CSS), which could result in
arbitrary code execution on the remote system.

See also :

http://seclists.org/fulldisclosure/2010/Dec/110
http://www.breakingpointsystems.com/community/blog/ie-vulnerability/
http://support.microsoft.com/kb/2488013/en-us
http://technet.microsoft.com/en-us/security/advisory/2488013

Solution :

Apply Microsoft suggested workarounds.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 51587 ()

Bugtraq ID: 45246

CVE ID: CVE-2010-3971

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now