Posted by SkyLined on August 10th, 2010 in Browsers, Internet Explorer, Repro and Security ·
Today Microsoft released MS10-051; a fix for a vulnerability in MSXML 3.0 which I reported to them April 12th 2010.
Case details can be found here.
Posted by SkyLined on August 10th, 2010 in Browsers, JavaScript, Programming Languages, Security and Tools ·
I revisited and released an old tool for compressing and obfuscating JavaScript. Given a JavaScript as input, it will generate and output self-extracting compressed JavaScript.
http://code.google.com/p/jssfx/
Posted by SkyLined on July 16th, 2010 in PoC and Security ·
While looking at logs from my fuzzers, I found a bug in UltraEdit that triggered when I loaded a file with a long string of alphabetic characters…
Posted by SkyLined on April 12th, 2010 in Browsers, Chrome, Firefox, Internet Explorer, Opera, PoC, Safari and Security ·
From http://support.apple.com/kb/HT4104:
CVE-ID: CVE-2010-0536
Impact: Opening a maliciously crafted BMP image may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of BMP images…
Posted by SkyLined on April 12th, 2010 in Browsers, HTML, Internet Explorer, Programming Languages, Repro and Security ·
Many nested tags in MSIE can cause stack exhaustion, which can crash the tab and even the entire browser.
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE HTML PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN”
“http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<address/><address/><address/><address/><address/><address/>……
Posted by SkyLined on April 12th, 2010 in Browsers, HTML, Internet Explorer, JavaScript and PoC ·
The following code snippets will crash MSIE 9 platform review…
Posted by SkyLined on March 8th, 2010 in Browsers, Internet Explorer, Repro and Security ·
Quoting http://msdn.microsoft.com/en-us/library/aa930622.aspx:
typedef struct tagBITMAPINFOHEADER {
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BITMAPINFOHEADER;
“If the bitmap is a packed bitmap (a bitmap in which the bitmap array immediately follows the BITMAPINFO header and is referenced by a single pointer), the biClrUsed member must be either zero or the actual size of the color table.”
ANI files stores each frame of the animated cursor as a packed bitmap inside the ANI file…
Posted by SkyLined on March 1st, 2010 in Browsers, HTML, Internet Explorer, JavaScript, PoC, Programming Languages and Security ·
In 2005 I released Internet Exploiter 2, which helped make heap spraying popular in browser exploits…
Posted by SkyLined on January 20th, 2010 in Browsers, Internet Explorer, JavaScript, Programming Languages, Repro and Security ·
Two crashes caused by NULL pointer dereferences have been discovered in MSIE 6.0/7.0. These issues do not affect MSIE 8.0…
