Posted by SkyLined on August 10th, 2010 in Browsers, Internet Explorer, Repro and Security ·
Today Microsoft released MS10-051; a fix for a vulnerability in MSXML 3.0 which I reported to them April 12th 2010.
Case details can be found here.
Posted by SkyLined on April 12th, 2010 in Browsers, Chrome, Firefox, Internet Explorer, Opera, PoC, Safari and Security ·
From http://support.apple.com/kb/HT4104:
CVE-ID: CVE-2010-0536
Impact: Opening a maliciously crafted BMP image may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of BMP images…
Posted by SkyLined on April 12th, 2010 in Browsers, HTML, Internet Explorer, Programming Languages, Repro and Security ·
Many nested tags in MSIE can cause stack exhaustion, which can crash the tab and even the entire browser.
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE HTML PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN”
“http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<address/><address/><address/><address/><address/><address/>……
Posted by SkyLined on April 12th, 2010 in Browsers, HTML, Internet Explorer, JavaScript and PoC ·
The following code snippets will crash MSIE 9 platform review…
Posted by SkyLined on March 8th, 2010 in Browsers, Internet Explorer, Repro and Security ·
Quoting http://msdn.microsoft.com/en-us/library/aa930622.aspx:
typedef struct tagBITMAPINFOHEADER {
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BITMAPINFOHEADER;
“If the bitmap is a packed bitmap (a bitmap in which the bitmap array immediately follows the BITMAPINFO header and is referenced by a single pointer), the biClrUsed member must be either zero or the actual size of the color table.”
ANI files stores each frame of the animated cursor as a packed bitmap inside the ANI file…
Posted by SkyLined on March 1st, 2010 in Browsers, HTML, Internet Explorer, JavaScript, PoC, Programming Languages and Security ·
In 2005 I released Internet Exploiter 2, which helped make heap spraying popular in browser exploits…
Posted by SkyLined on January 20th, 2010 in Browsers, Internet Explorer, JavaScript, Programming Languages, Repro and Security ·
Two crashes caused by NULL pointer dereferences have been discovered in MSIE 6.0/7.0. These issues do not affect MSIE 8.0…
Posted by SkyLined on October 13th, 2009 in Browsers, Internet Explorer, Repro and Security ·
(a.k.a. MSRC 8769, MS09-054, CVE-2009-1547, “Data Stream Header Corruption Vulnerability”)
Microsoft fixed a bug in Internet Explorer’s “Content-Encoding:deflate” implementation…
