This is a brief summary of how a security researcher discovered a use-after-free vulnerability in Microsoft Internet Explorer versions 6 and 7.
fed4dfb70fc3fa7c23bed757145fad40571994fdcfece3bbf1de6eeb343e3a5b
(this is the plain text version of http://yuhongbao.blogspot.ca/2013/07/how-i-found-cve-2013-1310.html)
>From http://www.satzansatz.de/cssd/pseudocss.html under "Application instability: another element adjacent to the pseudo-element":
"Now, when such a .ipsum construct gains "layout" by a subset of layout properties (position: absolute; / float: any value; / display: inline-block; / zoom: 1;), what will happen? Right. Some will have to cancel the frozen process, others will have to reboot, data gets lost. Don't do it. (No, I don't link to a testcase here. IE7b3 is still crashing after scrolling/resizing. Depending on the memory already burned, you might have difficulties to stop the process...)"
I created this test manually (save http://www.satzansatz.de/cssd/pseudocss/pseudocss_t004.html and add zoom: 1 to .ipsum) and not only this bug is still in final IE7, I also noticed that there is also a potentially exploitable crash bug by opening the about box after opening this page. When this happens, it crashes with EIP at an address like 0x790070.
After this, by adding onclick="window.showModalDialog('target.htm')" to <p class="ipsum">, creating the target.htm, then opening the page and clicking inside the box, I triggered various crashes including attempts at executing data (note that IE7 do not enable DEP by default) and heap termination on corruption.
I turned full pageheap on and after I did so it crashes reliably at:
(360.51c): Access violation - code c0000005 (first/second chance not available)
eax=00000004 ebx=08042e78 ecx=0000000a edx=065acfa0 esi=08042e78 edi=065289c0
eip=3ceff096 esp=04d04ba8 ebp=04d04bf8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CLineCore::AssignLine+0x37:
3ceff096 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MS fixed this bug in the May 2013 Cumulative Update for IE6 and IE7.
Here is http://www.satzansatz.de/cssd/pseudocss.html rendered in IE6 and IE7 before the patch:
http://imgur.com/qrcpNua
After the patch (notice it is the same rendering as IE8+ in IE7 compat mode):
http://imgur.com/BY6MTFc
Yuhong Bao