Issue 17 – Msxml2.XMLHTTP.3.0 response handling memory corruption

Posted by SkyLined on August 10th, 2010 in , , and · 0 Comments

Today Microsoft released MS10-051; a fix for a vulnerability in MSXML 3.0 which I reported to them April 12th 2010.

Case details can be found here.

MSIE 6,7, 8 & 9 insertAdjacentElement NULL ptr

Posted by SkyLined on April 12th, 2010 in , , , , , and · 0 Comments

img=new Image();
img.insertAdjacentElement(“afterEnd”,img);

More details here: http://code.google.com/p/skylined/issues/detail?id=15

MSIE 8,9 (X)HTML stack exhaustion

Posted by SkyLined on April 12th, 2010 in , , , , and · 0 Comments

Many nested tags in MSIE can cause stack exhaustion, which can crash the tab and even the entire browser.

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE HTML PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN”
“http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<address/><address/><address/><address/><address/><address/>……

Microsoft Windows .ANI file BITMAPINFOHEADER.biClrUsed bounds check missing

Posted by SkyLined on March 8th, 2010 in , , and · 0 Comments

Quoting http://msdn.microsoft.com/en-us/library/aa930622.aspx:
typedef struct tagBITMAPINFOHEADER {
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BITMAPINFOHEADER;

“If the bitmap is a packed bitmap (a bitmap in which the bitmap array immediately follows the BITMAPINFO header and is referenced by a single pointer), the biClrUsed member must be either zero or the actual size of the color table.”

ANI files stores each frame of the animated cursor as a packed bitmap inside the ANI file…

Microsoft Internet Explorer 6.0/7.0 NULL pointer crashes

Posted by SkyLined on January 20th, 2010 in , , , , and · 0 Comments

Two crashes caused by NULL pointer dereferences have been discovered in MSIE 6.0/7.0. These issues do not affect MSIE 8.0…

Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox

Posted by SkyLined on October 13th, 2009 in , , , and · 0 Comments

(a.k.a. CVE-2009-2983)

Adobe fixed a bug in various COM objects. Loading and unloading these objects in a webpage in Firefox allows memory corruption, which can be exploited to execute arbitrary code…

MSIE Content-Encoding: deflate memory corruption vulnerability

Posted by SkyLined on October 13th, 2009 in , , and · 2 Comments

(a.k.a. MSRC 8769, MS09-054, CVE-2009-1547, “Data Stream Header Corruption Vulnerability”)

Microsoft fixed a bug in Internet Explorer’s “Content-Encoding:deflate” implementation…