Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Internet Explorer 8 MSHTML Ptls5::LsFindSpanVisualBoundaries Memory Corruption

🗓️ 22 Nov 2016 00:00:00Reported by SkyLinedType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

Microsoft Internet Explorer 8 MSHTML Ptls5::LsFindSpanVisualBoundaries Memory Corruption foun

Code
`Throughout November, I plan to release details on vulnerabilities I  
found in web-browsers which I've not released before. This is the  
fifteenth entry in that series. Unfortunately I won't be able to  
publish everything within one month at the current rate, so I may  
continue to publish these through December and January.  
  
The below information is available in more detail on my blog at  
http://blog.skylined.nl/20161121001.html.  
  
Follow me on http://twitter.com/berendjanwever for daily browser bugs.  
  
MSIE8 MSHTML Ptls5::LsFindSpanVisualBoundaries memory corruption  
================================================================  
(The fix and CVE number for this bug are unknown)  
  
Synopsis  
--------  
A specially crafted web-page can cause an unknown type of memory  
corruption in Microsoft Internet Explorer 8. This vulnerability can  
cause the `Ptls5::LsFindSpanVisualBoundaries` method (or other methods  
called by it) to access arbitrary memory.  
  
Known affected software, attack vectors and mitigations  
-------------------------------------------------------  
* Microsoft Internet Explorer 8  
  
An attacker would need to get a target user to open a specially  
crafted web-page. JavaScript is not necessarily required to trigger  
the issue.  
  
Description  
-----------  
The memory corruption causes the `Ptls5::LsFindSpanVisualBoundaries`  
method to access data at seemingly random addresses. However, these  
addresses appear to always be in the same range as valid heap addresses,  
even if they are often not DWORD aligned. The reason for the memory  
corruption is not immediately obvious.  
  
Time-line  
---------  
* July 2014: This vulnerability was found through fuzzing.  
* November 2016: Details of this issue are released.  
  
Cheers,  
  
SkyLined  
  
  
  
Repro.html  
  
<!DOCTYPE html>  
<html xmlns="http://www.w3.org/1999/xhtml">  
<body>  
<button>  
<pre>  
<x>  
<sub>  
<ruby>  
<img height="1"/>  
</ruby>  
</sub>  
</x>  
</pre>  
</button>  
</body>  
</html>  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Nov 2016 00:00Current
0.5Low risk
Vulners AI Score0.5
vulnerability detailsweb-browsersblogtwittermsie8memory corruptionjavascriptfuzzingrepro.html
32