CVE-2005-4089

An attacker hosts a malicious web page that uses the CSS @import directive (or the JavaScript addImport function) to import a URL from a different domain. Because IE's CSS parser is overly lenient, it parses non-CSS content from the target domain — particularly HTML containing curly braces — and exposes the mis-parsed snippets through the cssText property of the document.styleSheets collection [ref_id=1]. The attacker can then read sensitive information from the target domain, such as a secret key embedded in a page on Google News, and use that key to query a local web server (e.g., Google Desktop on port 4664) to retrieve private user data [ref_id=1]. No special privileges or user interaction beyond visiting the malicious page is required; the attack works on a fully patched IE 6 with default security and privacy settings [ref_id=1].

The vulnerability is a design flaw in Microsoft Internet Explorer's handling of CSS imports. IE allows a web page to import CSS rules from a different domain using the "@import" directive or the JavaScript "addImport" function, and then read the imported content via the "cssText" property of the document.styleSheets collection. The browser's lenient CSS parser does not reject non-CSS content; it mis-parses HTML snippets that contain CSS-like characters (curly braces, colons, semicolons) and exposes them through cssText, breaking cross-domain security restrictions [ref_id=1].

The advisory does not include a patch from Microsoft. The researcher notes that the vulnerability is a design flaw in IE's CSS import mechanism and that no simple fix existed at the time of disclosure [ref_id=1]. As a mitigation, the researcher recommends disabling JavaScript in IE or using an alternative browser such as Mozilla Firefox or Opera, which are not vulnerable to this attack [ref_id=1]. Google also patched their sites to prevent the specific exploit against Google Desktop, but the underlying IE vulnerability remained unaddressed [ref_id=1].

The proof-of-concept page was hosted at http://www.hacker.co.il/security/ie/css_import.html but the researcher notes it no longer works because Google patched their sites [ref_id=1]. The reproduction steps described are: (1) create a malicious page that uses CSS @import to fetch a URL from news.google.com with injected curly braces; (2) read the imported content via document.styleSheets[0].cssText to extract the Google Desktop secret key; (3) use the key to construct a query URL to the local GDS web server on port 4664; (4) import that URL via CSS and read the search results from cssText [ref_id=1].