Microsoft Internet Explorer SVG animateMotion.by Code Execution Vulnerability

2008-02-12T00:00:00
ID ZDI-08-006
Type zdi
Reporter Anonymous
Modified 2008-11-09T00:00:00

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.

The specific flaw exists in the handling of the "by" property of an animateMotion SVG element. By assigning other DOM elements to this property, a memory corruption occurs during the destruction of a Variant data type. The corruption causes an overwrite of a virtual function address allowing for the execution of arbitrary code.