Microsoft Internet Explorer 11 Tree::Notify_InvalidateDisplay Null Pointer Dereference

Title: Microsoft Internet Explorer 11 Tree::Notify_InvalidateDisplay Null Pointer Dereference
Advisory ID: ZSL-2018-5499
Type: Local/Remote
Impact: DoS
Risk: (2/5)
Release Date: 03.11.2018
Summary
Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year.
Description
The crash is caused due to a NULL pointer dereference access violation inside the 'Tree::Notify_InvalidateDisplay' function while parsing malformed DOM elements. The issue was discovered using the Domato fuzzer.
Vendor
Microsoft Corporation - https://www.microsoft.com
Affected Version
11.345.17134.0 (Update Versions: 11.0.90 (KB4462949))
11.1387.15063.0 (Update Versions: 11.0.90 (KB4462949))
11.0.9600.18282 (Update Versions: 11.0.30 (KB3148198))
11.0.9600.17843 (Update Versions: 11.0.20 (KB3058515))
Tested On
Microsoft Windows 10 (EN) (64bit) Microsoft Windows 7 SP1 (EN) (32/64bit)
Vendor Status
[25.10.2018] Vulnerability discovered.
[26.10.2018] Vendor contacted with sent details.
[26.10.2018] Vendor starts investigation.
[30.10.2018] Vendor completes investigation. Issue appears to be null pointer dereference and is non-exploitable.
[30.10.2018] Replied to the vendor.
[03.11.2018] Public security advisory released.
PoC
msie11_nullptr.txt
msie11_nullptr_fuzz-33.html.rar
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/45778/
[2] https://packetstormsecurity.com/files/150166
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/152537
[4] http://sec.sangfor.com.cn:88/vulns/819.html
Changelog
[03.11.2018] - Initial release
[05.11.2018] - Added reference [1]
[07.11.2018] - Added reference [2] and [3]
[11.11.2018] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk