#DailyBug bonus #MicrosoftEdge use-after-free
<body id=x style=margin:5 onload=http://x.style .removeProperty("margin")>
-
-
Replying to @berendjanwever
Note that reuse is in the same function that freed it with no way of injecting JavaScript to reallocate it in between, so NOT EXPLOITABLE.
3 replies 4 retweets 2 likes -
Replying to @berendjanwever
@berendjanwever web workers don't have access to the DOM. There's lots of cases like these affecting the execCommand functions.1 reply 0 retweets 2 likes -
Replying to @pyoor_
@pyoor_@berendjanwever MS saved lot of CVE's with MemProtect. Even more with MemGC.1 reply 0 retweets 1 like -
Replying to @dhanesh_k
@dhanesh_k@berendjanwever You're right but I was referring to the large number of UAFs where free and reuse occur within the same function.1 reply 0 retweets 1 like -
Replying to @pyoor_
@dhanesh_k@berendjanwever These existed prior to MemProtect and continue to do so.1 reply 0 retweets 1 like -
Replying to @pyoor_
@dhanesh_k@berendjanwever Lots of cases where function copies a pointer without addRef, releases, then reuse stale ref.1 reply 0 retweets 2 likes -
Replying to @pyoor_
@pyoor_@berendjanwever Yes, but in few cases, between use and free, an event is triggered.Which helps us to fill the mem.Now those are gone1 reply 0 retweets 0 likes -
Replying to @dhanesh_k
@dhanesh_k@pyoor_ it doesn't execute anything useful (such as events) in between free and reuse, which is why it's not a vuln but a bug.1 reply 0 retweets 0 likes -
Replying to @berendjanwever
@berendjanwever@pyoor_ Right! I have few of them lying around too.1 reply 0 retweets 0 likes
@dhanesh_k So get them < 140 bytes and start contributing to #DailyBug too :)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.