A specially crafted web-page can cause Microsoft Internet Explorer 9 to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer.
Microsoft Internet Explorer 9
An attacker would need to get a target user to open a specially crafted web-page. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path.
The CAttrArray
object initially allocates a CImplAry
buffer of 0x40 bytes,
which can store 4 attributes. When the buffer is full, it is grown to 0x60
bytes. A new buffer is allocated at a different location in memory and the
contents of the original buffer is copied there. The repro causes the code to
do this, but the code continues to access the original buffer after it has been
freed.
If an attacker was able to cause MSIE to allocate 0x40 bytes of memory and have some control over the contents of this memory before MSIE reuses the freed memory, there is a chance that this issue could be used to execute arbitrary code. I did not attempt to write an exploit for this vulnerability myself.
This report was generated using a predecessor of BugId, a Python script created to detect, analyze and id application bugs. Don't waste time manually analyzing issues and writing reports but try BugId out yourself today! You'll get even better reports than this one with the current version.id: MSHTML.dll!ParseListStyleProperty Arbitrary~FE0 AVR(3986463A) description: Security: Attempt to read from unallocated arbitrary memory (@0x12D11FE0) in MSHTML. dll!ParseListStyleProperty note: The exception happens in the main process. Based on this information, this is expected to be a critical security issue!