A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
Microsoft Internet Explorer 9
<iframe style="border:1px solid red;width:100%;height:100%;" name="iframe"></iframe> <script> window.open("Repro.Repro.
This is the first security vulnerability I sold to ZDI after I quit my job at Google to live off security bug bounties. It appears I either did not analyze this issue (probably), or misplaced my analysis (probably not), as I cannot find any details in my archives, other than a repro and a HTML bug report (provided below) created by a predecessor to BugId. From the information provided by ZDI in their advisory, and Microsoft in their bulletin, as well as the bug report, it seems to have been a use-after-free vulnerability. Unfortunately, that is all the analysis I can provide.
id: Arbitrary AVR@MSHTML.
dll!CDoc:: ExecuteScriptUri(ey2j) description: Security: Attempt to read from unallocated arbitrary memory (@0x14E86F9C) in MSHTML. dll!CDoc:: ExecuteScriptUri note: Based on this information, this is expected to be a security issue! application: MSIE 9. 00. 8112. 16421