Instruction at 0x63599ef9 refrenced memory at 0x0000006d memory could not be read...
IE 6.0.2800.1106.xpsp2-030422-1633
-KF
Richard M. Smith wrote:
Hi,
I ran across an IE6 crash bug while developing a JavaScript debugger. Here's a demo page that shows the problem:
http://www.computerbytesman.com/js/crash/crash.htm
What makes the bug interesting, is that the crash is caused by IE
dereferencing an uninititalized pointer. These dereferences happen in
random places in the code. The most interesting location I saw was in a
CALL instruction.
I don't really have the time to determine if the bug is exploitable to run code.
The bug may also be present in earlier versions of IE.
This is one of many crash bugs in IE that are present in the fringes of the IE DOM. All the other bugs that I've found so far are just null pointer dereferences which I think are harmless.
Richard M. Smith http://www.ComputerBytesMan.com
PS. On a few machines, the demo must be reload a few times for a crash to occur.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
