Since November I have been releasing details on all vulnerabilities I found that I have not released before. This is the 36th entry in the series. This information is available in more detail on my blog at http://blog.skylined.nl/20161220001.html. There you can find a repro that triggered this issue in addition to the information below, as well as a Proof-of-Concept exploit that attempts to prove exploitability. If you find these releases useful, and would like to help me make time to continue releasing this kind of information, you can make a donation in bitcoin to 183yyxa9s1s1f7JBpAPHPmzAQ346y91Rx5DX. Follow me on http://twitter.com/berendjanwever for daily browser bugs. MSIE 11 MSHTML CSpliceTreeEngine::RemoveSplice use-after-free ============================================================= (MS14-035, CVE-2014-1785) Synopsis -------- A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 11. There is sufficient time between the free and reuse for an attacker to control the contents of the freed memory and exploit the vulnerability. Known affected software, attack vectors and potential mitigations ----------------------------------------------------------------- * Microsoft Internet Explorer 11 An attacker would need to get a target user to open a specially crafted web-page. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path. Details ------- This was one of the first bugs where I attempted to do a proper analysis, and I got some feedback from ZDI that explained what I got right and what I got wrong. Basically, on x86, a 0x28 byte memory block is allocated in `MSHTML!CMarkup::DoEmbedPointers` and when you execute `document.execCommand("Delete")`. This memory can be freed when you execute `document.open()` in a `DOMNodeRemoved` event handler. After that, you can use Javascript to reallocate the memory before it is reused. Time-line --------- * 30 December 2013: This vulnerability was submitted to ZDI. * 8 January 2014: This vulnerability was acquired by ZDI. * 14 January 2014: This vulnerability was disclosed to Microsoft by ZDI. * 10 June 2014: This vulnerability was address by Microsoft in MS14-035. * 20 December 2016: Details of this vulnerability are released. Cheers, SkyLined