The vulnerability involves the way the browser handles cascading style sheets (CSS), triggered by recursive CSS pages where the style sheets include their own address. The flaw was confirmed by Microsoft in December, and it has updated its advisory to include a workaround due to reports of attacks that target the vulnerability.
The workaround comes in the form of a "Fix It" solution from Microsoft. To be effective, the browser needs to have all the existing security updates installed. The fix basically forces Internet Explorer to avoid importing a CSS style sheet if it has the same URL as the CSS style sheet from which it is being loaded.
Using the Fix It solution will cause a slight performance hit, adding about 150 milliseconds to the browser's start-up time, so it should be removed after Microsoft releases a proper security update for the flaw.
Written by: James Delahunty @ 11 Jan 2011 23:21