MS IE Uninitialized DOM Memory Corruption

December 11, 2009

Microsoft Internet Explorer version 8, the latest version to date, contains a memory corruption vulnerability. The flaw exists due to an inproper handling of script modified DOM structures.

DOM defines an object oriented structure of the HTML document content. It allows for individual elements and properties of the HTML document to be manipulated by script. In the DOM structure, all HTML tags and their attributes are stored in a tree-like structure as Nodes. This tree can be defined statically using HTML tags or dynamically using script.

An example HTML code snippet followed by its DOM represenation is shown:


DOM representation:

html |- body | |- p

DOM objects can be modified dynamically by script embedded in the HTML document. An example of dynamic DOM manipulation is shown:

 var i = document.createElement('p'); j.appendChild(i); 

Microsoft Internet Explorer 8 improperly handles script-modified DOM structures when an HTML document is being parsed. By manipulating DOM script code, a circular reference between two DOM objects can be created. This error can lead to memory corruption which could be exploited to inject and execute arbitrary code. Remote attackers could exploit this vulnerability by persuading a target user to visit a maliciously crafted web page. Successful exploitation may result in code execution with the privileges of the logged in user.

Generic detection of this type of attack would require a full HTML parser. As such, generic detection is not feasible. SonicWALL has developed a signature that detects and blocks a known exploit targeting this vulnerability. The following signature was released:

  • 4234 - MS IE Uninitialized DOM Memory Corruption PoC (MS09-072)

The vendor has released an advisory and assigned the vulnerability the ID MS09-072. This flaw has been assigned CVE-2009-3674 by Mitre.