EoP: Destroying an htmlFile Reference While Its Trident Is Refreshing

This crash was surprisingly compact. Creating an htmlFile ActiveXObject, initializing its Trident with open()/close(), executing a Refresh command, and then immediately deleting the reference caused a probably-exploitable write access violation near null. The refresh kicks off an async operation, and deleting the reference pulls the rug out while that operation is still in flight.

<script language="JavaScript">
function main()
{
    var axDoc = new ActiveXObject("htmlFile");
    axDoc.open(); axDoc.close();

    axDoc.execCommand("Refresh");

    delete axDoc; // Crash!
}
</script>
<input type="button" onclick="main();" value="CrashMe">

The crash occurs in MSHTML!CBlockedUrlList::ClearList during the COmWindowProxy::SwitchMarkup call that the refresh triggers. Deleting axDoc decrements the reference count to zero while the markup switch is still in progress, causing a RtlEnterCriticalSection call on an already-freed lock object. The crash was rated PROBABLY_EXPLOITABLE and reproduced on both IE9 RTM and IE10 Platform Preview.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE8: User Style Sheet Bug Crashes on SELECT Element Expansion] :: [IE9: Persistent createPopup Acts as a Keylogger Across Navigation] >