Search the Community
Showing results for tags 'edge'.
-
Microsoft Edge suffers from a Flash click2play bypass with CObjectElement::FinalCreateObject. View the full article
-
Exploits Microsoft Edge Chakra 1.11.4 Type Confusion
1337day-Exploits posted a topic in Updated Exploits
Microsoft Edge Chakra version 1.11.4 read permission via type confusion proof of concept exploit. View the full article -
In Microsoft Edge, the JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it is essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise it might not work properly. The problem is, it does not restore the previous status of the flag after the call. As setting the flag can prevent stack-allocated objects from leaking, this clearing-the-flag bug can lead to a stack-based use-after-free. View the full article
-
Microsoft Edge has an issue where NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code. View the full article
-
Exploits Microsoft Edge Chakra JIT Type Confusion Bug
1337day-Exploits posted a topic in Updated Exploits
Microsoft Edge suffers from a Chakra JIT type confusion bug. View the full article -
Microsoft Edge suffers from a sandbox escape vulnerability. View the full article
-
The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized. This allows to initialize the same object multiple times which can lead to type confusion. View the full article