#DailyBug bonus #MicrosoftEdge use-after-free
<body id=x style=margin:5 onload=http://x.style .removeProperty("margin")>
-
-
@berendjanwever web workers don't have access to the DOM. There's lots of cases like these affecting the execCommand functions. -
@pyoor_@berendjanwever MS saved lot of CVE's with MemProtect. Even more with MemGC. -
@dhanesh_k@berendjanwever You're right but I was referring to the large number of UAFs where free and reuse occur within the same function. -
@dhanesh_k@berendjanwever These existed prior to MemProtect and continue to do so. -
@dhanesh_k@berendjanwever Lots of cases where function copies a pointer without addRef, releases, then reuse stale ref. -
@pyoor_@berendjanwever Yes, but in few cases, between use and free, an event is triggered.Which helps us to fill the mem.Now those are gone -
@dhanesh_k@pyoor_ it doesn't execute anything useful (such as events) in between free and reuse, which is why it's not a vuln but a bug. -
@berendjanwever@pyoor_ Right! I have few of them lying around too. - 1 more reply
New conversation -
-
-
@berendjanwever web workers? -
@im_so_banty Feel free to write a PoC and prove your theory...
End of conversation
New conversation -
-
-
@berendjanwever@Ivanlef0u I found damn uaf in one av driver in this situation :(Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.