| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b496faf7-2d1e-78a6-ac5c-e4834ae56ddb@gmail.com> Date: Sat, 12 Mar 2016 00:02:01 +0100 From: Berend-Jan Wever <berendjanwever@...il.com> To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org Subject: [FD] Microsoft Edge CDOMTextNode::get_data type confusion Hey, Last Tuesday, Microsoft fixed a security issue in Microsoft Edge that I was aware of, but had not had time to report. (i.e. I was waiting for vulnerability contributor programs to look over my analysis and make me an offer for the information). Since this issue has been fixed, I have published my analysis on my blog <http://blog.skylined.nl/20160310001.html><my%20blog>. In short: Specially crafted Javascript inside an HTML page can trigger a type confusion bug in Microsoft Edge that allows accessing a C++ object as if it was a BSTR string. This can result in information disclosure, such as allowing an attacker to determine the value of pointers to other objects and/or functions. This information can be used to bypass ASLR mitigations. It may also be possible to modify arbitrary memory and achieve remote code execution, but this was not investigated. Cheers, SkyLined _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists