Microsoft Internet Explorer CDispNode t:MEDIA Remote Code Execution Vulnerability

2012-02-22T00:00:00
ID ZDI-12-035
Type zdi
Reporter Stephen Fewer of Harmony Security (www.harmonysecurity.com)
Modified 2012-11-09T00:00:00

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required in that a target must visit a malicious page or open a malicious file.

The flaw exists within MSHTML, specifically the handling of an HTML time t:MEDIA element. A t:MEDIA element can be manipulated such that when the page is refreshed a reference to a freed CDispNode object remains allowing the repurpose of this region. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the process.