Microsoft Windows .ANI file BITMAPINFOHEADER.biClrUsed bounds check missing

Quoting http://msdn.microsoft.com/en-us/library/aa930622.aspx:
typedef struct tagBITMAPINFOHEADER {
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BITMAPINFOHEADER;

“If the bitmap is a packed bitmap (a bitmap in which the bitmap array immediately follows the BITMAPINFO header and is referenced by a single pointer), the biClrUsed member must be either zero or the actual size of the color table.”

ANI files stores each frame of the animated cursor as a packed bitmap inside the ANI file…

Internet Exploiter 2 – bypassing DEP

In 2005 I released Internet Exploiter 2, which helped make heap spraying popular in browser exploits…

Microsoft Internet Explorer 6.0/7.0 NULL pointer crashes

Two crashes caused by NULL pointer dereferences have been discovered in MSIE 6.0/7.0. These issues do not affect MSIE 8.0…

Advances in heap spraying #1: when size matters.

http://skypher.com/SkyLined/heap_spray/small_heap_spray_generator.html

I’ve created a heap-spray generator…

MSIE Content-Encoding: deflate memory corruption vulnerability

(a.k.a. MSRC 8769, MS09-054, CVE-2009-1547, “Data Stream Header Corruption Vulnerability”)

Microsoft fixed a bug in Internet Explorer’s “Content-Encoding:deflate” implementation…

Cross browser parallel asynchronous XMLHttpRequests with timeout.

AsyncXMLHttpRequest is an extension of XMLHttpRequest with the following improvements:

Uniform behavior on multiple different browsers (Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox and Opera).
Event handlers are called with the AsyncXMLHttpRequest object to which they apply as the first argument…

MS09-014: EMBED element memory corruption

Microsoft has just released a fix for an issue I reported to them on December 4th, 2008. A simple repro can be found here

MSIE screen[""] NULL ptr DoS details

MSIE can be made to crash with a NULL ptr Read AV by executing a very small piece of JavaScript. This affects MSIE 6.0, 7.0 and 8.0 beta2…

Security contacts

I’ve created a table with contact information for security teams for mayor software vendors. I’m hoping you’ll find the information useful when you’re trying to report a vulnerability…

JavaScript stack trace

I’ve created an example script that outputs a stack dump in JavaScript. It shows all the functions that have been called, their arguments and the values of these arguments. I find it to be very useful while writing complex JavaScripts – I use it in asserts and error handlers to find out why things go wrong quickly…