3

On Tuesday August 18, 2015, Microsoft published an advisory pointing out a 0-day vulnerability (CVE-2015-2502) that can be exploited by an attacker to perform a remote code execution on Internet Explorer (from version 7 to 11, even if you are running Windows 10) web browser allowing him to gain the same user rights as the current user. The vulnerability resides in how IE handles objects.

These last days, I have been diving into this vulnerability to understand it so I landed on Understanding and Solving Internet Explorer Leak Patterns where I got quite an interesting insight on how IE object handling has always suffering from different bugs which are grouped by Microsoft into 4 categories (Circular References, Closures, Cross-Page Leaks and Pseudo-Leaks).

Since the causes of these memory leaks are caused by the way JavaScript, DOM ... are interacting in IE, could these memories leaks be common to Firefox and Chrome or are they specifically inherent to IE?

  • 1
    Firefox and Chrome implement their own version of Javascript, having common bugs is probably unlikely (but possible). – Uriel Aug 21 '15 at 19:15
  • @Uriel if you give me any link(s) like the last one in my question stating those different implementations I will accep your answer without further explanation (I can read the links by myself) –  Aug 21 '15 at 19:18
  • My comment was to point out that having _exactly_ the same bug was unlikely, as implementation differ. If your concern is about bug categories, you will end up with the same ones : overflows (stack/heap), use-after-free, etc. If your concern is about specification-related issues, then you are likely to run in the same ones. Just for information, here is a list of javascript engines : https://en.wikipedia.org/wiki/List_of_ECMAScript_engines – Uriel Aug 21 '15 at 20:22

1 Answers1

1

The CVE you provided contains a link to a tweet from Greg Linares that shows the cause of this vulnerability is a use-after-free within Internet Explorer. Use-after-free vulnerabilities happen when a program frees a chunk of memory while still holding a reference to the freed memory.

Although Firefox and Chrome both have their own Javascript implementations (spidermonkey and blink/webkit), both have been exploited using this same technique many, many, many times. Below are some of the best links I've found explaining use-after-free exploitation within Firefox, Chrome, and IE:

Justin Moore
  • 769
  • 4
  • 9