Just before the Holidays details of a zero-day vulnerability emerged in Internet Explorer. Now after nearly three weeks Microsoft have issued a temporary fix.
The flaw creates a means for hackers to infect PCs with malware when someone visits a booby-trapped web site. The problem lies with the way Internet Explorer handles cascading style sheets, specifically recursive CSS pages which have the same URL as the CSS style sheet from which it is being called. In such circumstances uninitialized memory is created within Internet Explorer which can be used by a specially crafted web page to execute remote code.
Microsoft’s Fixit solution is not intended to be a replacement for a future security update, however, it is a temporary workaround probably until Microsoft’s next Patch Tuesday. According to the Fixit description “This Fixit solution adds a check to check whether a cascading style sheet is about to be loaded recursively. If this is the case, the Fixit solution cancels the loading of the cascading style sheet.”
The vulnerability affects Internet Explorer 6, 7 and 8 on all Windows platforms.