A specially crafted web-page can cause Microsoft Internet Explorer 9 to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer.
Microsoft Internet Explorer 9
CAttrArray object initially allocates a
CImplAry buffer of 0x40 bytes,
which can store 4 attributes. When the buffer is full, it is grown to 0x60
bytes. A new buffer is allocated at a different location in memory and the
contents of the original buffer is copied there. The repro causes the code to
do this, but the code continues to access the original buffer after it has been
If an attacker was able to cause MSIE to allocate 0x40 bytes of memory and have some control over the contents of this memory before MSIE reuses the freed memory, there is a chance that this issue could be used to execute arbitrary code. I did not attempt to write an exploit for this vulnerability myself.
This report was generated using a predecessor of BugId, a Python script created to detect, analyze and id application bugs. Don't waste time manually analyzing issues and writing reports but try BugId out yourself today! You'll get even better reports than this one with the current version.id: MSHTML.
dll!ParseListStyleProperty Arbitrary~FE0 AVR(3986463A) description: Security: Attempt to read from unallocated arbitrary memory (@0x12D11FE0) in MSHTML. dll!ParseListStyleProperty note: The exception happens in the main process. Based on this information, this is expected to be a critical security issue!