WingNews logo WingNews
top | item 6043670

(no title)

nbpoole | 12 years ago

Not sure why this is getting voted up so much. The author came across a report of IE freezing/crashing, replicated it, and Microsoft fixed it. In the same security update (http://technet.microsoft.com/en-us/security/bulletin/ms13-03...) there are 10 other vulnerabilities described in the same way. Why is this particular vulnerability noteworthy or interesting, other than the fact that someone stumbled across it and documented it before it ended up reported to Microsoft?

In fact, CVE-2013-1297 from that same security update (which I didn't know existed until now) is far more interesting from a security perspective (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1...).

Microsoft Internet Explorer 6 through 8 does not properly restrict data access by VBScript, which allows remote attackers to perform cross-domain reading of JSON files via a crafted web site, aka "JSON Array Information Disclosure Vulnerability."

Similar JSON information disclosure can be very serious for a web application. http://haacked.com/archive/2009/06/24/json-hijacking.aspx describes the general issue in some depth. The fact that it was possible to use vbscript as a way to read in cross-domain JavaScript is very important from a security perspective.

discuss

order

marshray|12 years ago

I think a lot of folks are voting it up because they found it interesting and informative and it gives a real-world example of using a widely-available tool (pageheap) to diagnose bugs.

It may not be dropping any new super-advanced fuzzing or exploit techniques, but it's the story about a guy who did the legwork to run down the exploitability of a bug from public crash reports.

yuhong|12 years ago

What is unique is the original report of the bug was public. I was the one who figured out that it was exploitable and sent it to MSRC.

nbpoole|12 years ago

Right. But I can very easily find reports of reliable ways to crash IE via CSS: https://www.google.com/search?q=crash+ie+css

I don't have a problem with your blog post. It documents how to reproduce the issue referenced in a particular CVE. But I'm curious what value people are deriving from reading it.