Wednesday, October 12, 2011

Internet Explorer Option Element Remote Code Execution

Overview

There is a vulnerability in Internet Explorer which enables execution of arbitrary code if the user visits a web page controlled by the attacker. The vulnerability is caused by an use-after-free bug triggered by accessing a previously deleted Option element. This vulnerability has been observed in Internet Explorer versions 6, 7 and 8. The vulnerability has been patched by Microsoft on October 11, 2011.

The bug

In Internet Explorer, the implementation of Select HTML element contains an array of pointers to the Option elements the Select element contains. This array is called the Option cache. Normally, whenever an Option element inside a Select element is accessed via JavaScript, Option cache is rebuilt, thus ensuring its consistency. However, there are some JavaScript methods that can be used to delete and modify the Option elements contained inside the Select element without rebuilding the Option cache. In combination, these methods enable modifying a previously deleted Option element.

Impact

The vulnerability can be used to execute arbitrary code in the context of the currently logged in user if the user visits a specially crafted web page. JavaScript needs to be enabled in order for the attacker to be able to exploit the vulnerability (it's enabled by default in all versions of Internet Explorer).

PoC

An PoC exploit that demonstrates code execution has been developed. However, due to the severity of the vulnerability, release of the exploit code is not planned at this time.

References


9 comments:

Djadai said...

Well, I have been looking for a good software company for years. I had a lot of bad experiences with many companies and now I finally found the perfect one - the services they provide are more than enough to fullfil all my needs. If you are not happy with your providers, make sure to chek it, you wont be dsiapointed.
http://www.absl.in/

John Barness said...

I think when it comes to data security, mainly if it is related to business documentation or so, there should be really valuable virtual data rooms implemented. Data destruction may have a very high price in the business world.

john said...

Very much useful article. Kindly keep blogging

Java Training in Chennai

Java Online Training India

Uzair Hassan said...

"I loved the post, keep posting interesting posts. I will be a regular reader...

https://www.smm.com.pk/"

Uzair Hassan said...

"I loved the post, keep posting interesting posts. I will be a regular reader...

http://skyled.pk/"

steve said...


غسيل خزانات بمكة شركة غسيل خزانات بمكة
غسيل خزانات بجدة شركة غسيل خزانات بجدة
غسيل خزانات بالدمام شركة غسيل خزانات بالدمام

indianconsumer said...

Snapdeal online lucky draw Winner List 2020 here came up with an Offer where you can win Snapdeal lottery 2020 and more prize by just playing a game & win prizes
Snapdeal winner 2020
Snapdeal lucky draw winner 2020
Snapdeal lucky draw contest 2020
snapdeal winner prizes 2020

The Qb Payroll said...

Since you live in the US, you can contact our QuickBooks Helpline Number 1-833-325-0220. Our learned & highly skilled Qb experts available 24/7 to give assistance.

Susan said...

Explore all kinds of users, hashtags and locations in ease with our Instagram Web Viewer Pictame2.