MS DHTML Memory Corruption (June 11, 2009)


Microsoft has released an advisory MS09-019 for Internet Explorer vulnerabilities on this Microsoft Patch day. One of them is a DHTML Object Memory Corruption vulnerability, which is referred as CVE-2009-1141. This vulnerability is triggered when the vulnerable version of the products parses a legitimate Dynamic HTML page in some specific cases. The following is an example of a regular Dynamic HTML page:

 < script language="JavaScript" > function function1() { document.all.myP.clearAttributes(); }  < p id="myP" style="color:red" >This text has the style and id attributes. < button onclick="function1();" >Clear attributes.  

In the sample, function clearAttributes removes all attributes of “myP” object, except name and id. The clearAttributes function also cleans up some internal layout object related to the element if it is involved in markup of the web page. For example, if a cell element is inserted into a table object using insertCell function, an internal layout object is assigned.

The DHTML memory corruption vulnerability is triggered in some particular cases. One of the cases is when a cell element is inserted and removed from a row of a table, immediately followed by a clearAttributes function call to the row. In this case, the internal pointer for the removed element is not consistent, which causes the memory corruption.

SonicWALL UTM Research team observed the exploit and produced an IPS signature to detect the attack attempts addressing this vulnerability. The signature is listed as bellow.

  • 5526 MS IE DHTML Object Memory Corruption Attempt (MS09-019)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.