IE8 Css Cross-Domain Information Disclosure Vulnerability Author: www.80vul.com [Email:5up3rh3i#gmail.com] Release Date: 2010/10/14 References: http://www.80vul.com/ie8/IE8%20Css%20Cross-Domain%20Information%20Disclosure%20Vulnerability.txt Overview: MS-071 have fixed a Cross-Domain Information Disclosure Vulnerability by CSS imports() on IE8, this vul look like had fixed on 2005 by hacker.co.il[1],but when it work well on IE8 . POC[2]: Disclosure Timeline: 2010/09/09 - Found this Vulnerability 2010/10/12 - Microsoft Security Bulletin MS10-071 Published 2010/10/14 - Public Disclosure References: [1] http://www.hacker.co.il/security/ie/css_import.html [2] http://80vul.com/cssinj/ms071.html -- hitest _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/