lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 28 Jan 2007 21:58:42 -0800
From: Alexander Sotirov <>
Subject: Internet Explorer 7 ActiveX bgColor property NULL pointer dereference

I thought that after the success of MoBB last year, fuzzing browsers will be
pointless, since all vendors would take care of the easily-found bugs before a
release. It turns out that I was wrong. I ran a very simple ActiveX fuzzer
against Vista and found a NULL pointer dereference bug in no time. The
vulnerable ActiveX control is on the pre-approved list in IE7, which makes the
bug easy to trigger with no security warnings and no user interaction.

Try this:

<script language="JavaScript">
    obj = new ActiveXObject("giffile");

MSRC said that this is a reliability bug and not a security issue, and it will
be fixed at some point in the future. I agree that DoS bugs against IE are not
very important (as long as skape doesn't drop any more vulns like MS06-051 :-),
but it's interesting that such a simple bug in such an obvious part of the IE7
attack surface was not discovered and fixed before the release.

See the full technical details at

More about fuzzers and ActiveX at

Alexander Sotirov
Determina Security Research

Powered by blists - more mailing lists