This is a friendly warning that your web-browser does not currently protecting your privacy and/or security as well as you might want. Click on this message to see more information about the issue(s) that were detected.

MSIE8 MSHTML Ptls5::Ls­Find­Span­Visual­Boundaries memory corruption

(The fix and CVE number for this bug are unknown)

Synopsis

A specially crafted web-page can cause an unknown type of memory corruption in Microsoft Internet Explorer 8. This vulnerability can cause the Ptls5::Ls­Find­Span­Visual­Boundaries method (or other methods called by it) to access arbitrary memory.

Known affected software, attack vectors and mitigations

Description

The memory corruption causes the Ptls5::Ls­Find­Span­Visual­Boundaries method to access data at seemingly random addresses. However, these addresses appear to always be in the same range as valid heap addresses, even if they are often not DWORD aligned. The reason for the memory corruption is not immediately obvious.

Repro.html <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <body> <button> <pre> <x> <sub> <ruby> <img height="1"/> </ruby> </sub> </x> </pre> </button> </body> </html>

Time-line

Bug­Id report: mshtml.dll!Ptls5::Ls­Find­List­Du Arbitrary~021 AVR(67C1FF4C) This report was generated using a predecessor of Bug­Id, a Python script created to detect, analyze and id application bugs. Don't waste time manually analyzing issues and writing reports but try Bug­Id out yourself today! You'll get even better reports than this one with the current version.
id:             mshtml.dll!Ptls5::Ls­Find­List­Du Arbitrary~021 AVR(67C1FF4C)
description:    Security: Attempt to read from unallocated arbitrary memory (@0x000B2021) in mshtml.dll!Ptls5::Ls­Find­List­Du
note:           Based on this information, this is expected to be a security issue!
Bug­Id report: mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries Arbitrary~0EE AVR(A2DF6722) This report was generated using a predecessor of Bug­Id, a Python script created to detect, analyze and id application bugs. Don't waste time manually analyzing issues and writing reports but try Bug­Id out yourself today! You'll get even better reports than this one with the current version.
id:             mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries Arbitrary~0EE AVR(A2DF6722)
description:    Security: Attempt to read from unallocated arbitrary memory (@0x000DA0EE) in mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries
note:           Based on this information, this is expected to be a security issue!
Bug­Id report: mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries Guard­Page(A2DF6722) This report was generated using a predecessor of Bug­Id, a Python script created to detect, analyze and id application bugs. Don't waste time manually analyzing issues and writing reports but try Bug­Id out yourself today! You'll get even better reports than this one with the current version.
id:             mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries Guard­Page(A2DF6722)
description:    Guard page violation in mshtml.dll!Ptls5::Ls­Find­Span­Visual­Boundaries
© Copyright 2016 by Sky­Lined.
Creative Commons License This work is licensed under a Creative Commons Attribution-Non‑Commercial 4.0 International License.

Last updated on 2016-11-21.
If you find this web-site useful and would like to make a donation, you can send bitcoin to 183yyxa9s1s1f7JBp­PHPmz­Q346y91Rx5DX.