(The fix and CVE number for this issue are unknown)
A specially crafted web-page can cause the iertutil.
Microsoft Internet Explorer 11
This looks like a pretty straightforward use-after-free, but I did not investigate at what point in the repro the memory gets freed and when it gets re-used, so I do not know if an attacker has any chance to force reallocation of the freed memory before reuse.
The issue can be triggered with MemGC enabled; the object that is freed does not appear to be protected by MemGC.
The repro requires that MSIE is run in single-process mode in order to trigger the use-after-free. It is not known if it is possible to tweak the repro to have MSIE take a similar code-path that leads to a use-after-free when MSIE is not in single-process mode.
MSIE can be started in single process mode by setting the following registry key before starting MSIE:
HKCU\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = DWORD:0
To revert this change, remove the registry key or set the value to 1 and restart MSIE.
A number of factors appear to be getting in the way of creating a usable exploit for this issue:
|Description:||Access violation while reading freed memory at 0x1FFE25A6ED2|
|Security impact:||Potentially exploitable security issue|