Hijacking IE\’s user style sheet

A new, daring hijacking exploit was carried out on my computer—taking over my user style sheet.

The user style sheet is something used by the browser which most people haven’t ever heard of. It’s mainly an accessibility feature—you could set your own CSS styles to display everything in large type, for instance. (In IE, you set it with Tools | Internet Options… | General | Accessibility… | User style sheet.)

The devious thing about this exploit was that the user style sheet the malware stuck on my computer contained CSS property values computed using Microsoft’s proprietary expression feature for dynamically computing property values. Specifically, within an expression giving the value of some attribute for the BODY tag, it was looking up certain keywords within the META tag, and if it found them created a pop-up window which took over the entire screen!

I hear that the next release of XP has anti-malware features. It certainly seems like a no-brainer to disable the expression feature in user style sheets, to not allow pop-ups to be created from within CSS expressions anywhere, or, most basically, to not allow any changes to the user style sheet without the user’s express permission.

I guess this exploit is actually not that new. This article about it dates back to summer 2003.

Leave a Reply