Exploit code for the vulnerability has been added to the Metasploit tool and a video has been posted to provide a demo of the severity.
Here’s a brief description of the issue from VUPEN:
A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by a use-after-free error within the “mshtml.dll” library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various “@import” rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page.
VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3.
Metasploit’s exploit code provides some more information:
This module exploits a memory corruption vulnerability within Microsoft HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution.
According to the video posted by Abysssec Security Research, the exploit bypasses two key Windows anti-exploit mitigations (DEP and ASLR) without the use of any third party extensions.
There are reports that the vulnerability was first published on a Chinese security blog.
This blog post is originally copied from http://www.zdnet.com