A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
Microsoft Internet Explorer 9
An attacker would need to get a target user to open a specially crafted web-page. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path.
This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. ZDI revealed that this was a use-after-free vulnerability, though their advisory mentions an iframe, which is not in the repro I provided. I have included a number of reports created using a predecessor of BugId below.
Repro.This report was generated using a predecessor of BugId, a Python script created to detect, analyze and id application bugs. Don't waste time manually analyzing issues and writing reports but try BugId out yourself today! You'll get even better reports than this one with the current version.id: Arbitrary AVR@MSHTML.dll!CMarkup:: RemovePointerPos(jQkX) description: Security: Attempt to read from unallocated arbitrary memory (@0x12F38FF0) in MSHTML. dll!CMarkup:: RemovePointerPos note: Based on this information, this is expected to be a security issue! application: MSIE 9. 00. 8112. 16421