← Advisories

Microsoft Internet Explorer 11 Tree::Notify_InvalidateDisplay Null Pointer Dereference

Low
Advisory ID
ZSL-2018-5499
Release Date
03 November 2018
Vendor
Microsoft Corporation - https://www.microsoft.com
Affected Version
11.345.17134.0 (Update Versions: 11.0.90 (KB4462949)), 11.1387.15063.0 (Update Versions: 11.0.90 (KB4462949)), 11.0.9600.18282 (Update Versions: 11.0.30 (KB3148198)), 11.0.9600.17843 (Update Versions: 11.0.20 (KB3058515))
CVE
N/A
Tested On
Microsoft Windows 10 (EN) (64bit), Microsoft Windows 7 SP1 (EN) (32/64bit)
Summary

Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year.

Description

The crash is caused due to a NULL pointer dereference access violation inside the 'Tree::Notify_InvalidateDisplay' function while parsing malformed DOM elements. The issue was discovered using the Domato fuzzer.

Proof of Concept
msie11_nullptr.txtTXT
msie11_nullptr_fuzz-33.html.rarRAR
Disclosure Timeline
25.10.2018Vulnerability discovered.
26.10.2018Vendor contacted with sent details.
26.10.2018Vendor starts investigation.
30.10.2018Vendor completes investigation. Issue appears to be null pointer dereference and is non-exploitable.
30.10.2018Replied to the vendor.
03.11.2018Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/45778/
[2]https://packetstormsecurity.com/files/150166
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/152537
[4]http://sec.sangfor.com.cn:88/vulns/819.html
Changelog
03.11.2018Initial release
05.11.2018Added reference [1]
07.11.2018Added reference [2] and [3]
11.11.2018Added reference [4]