MS DHTML Memory Corruption

June 11, 2009

Microsoft has released an advisory MS09-019 for Internet Explorer vulnerabilities on this Microsoft Patch day. One of them is a DHTML Object Memory Corruption vulnerability, which is referred as CVE-2009-1141. This vulnerability is triggered when the vulnerable version of the products parses a legitimate Dynamic HTML page in some specific cases. The following is an example of a regular Dynamic HTML page:

 < script language="JavaScript" > function function1() { document.all.myP.clearAttributes(); }  < p id="myP" style="color:red" >This text has the style and id attributes. < button onclick="function1();" >Clear attributes.  

In the sample, function clearAttributes removes all attributes of "myP" object, except name and id. The clearAttributes function also cleans up some internal layout object related to the element if it is involved in markup of the web page. For example, if a cell element is inserted into a table object using insertCell function, an internal layout object is assigned.

The DHTML memory corruption vulnerability is triggered in some particular cases. One of the cases is when a cell element is inserted and removed from a row of a table, immediately followed by a clearAttributes function call to the row. In this case, the internal pointer for the removed element is not consistent, which causes the memory corruption.

SonicWALL UTM Research team observed the exploit and produced an IPS signature to detect the attack attempts addressing this vulnerability. The signature is listed as bellow.

  • 5526 MS IE DHTML Object Memory Corruption Attempt (MS09-019)