

How I found CVE-2013-1310 in IE6 and IE7 - yuhong
http://yuhongbao.blogspot.ca/2013/07/how-i-found-cve-2013-1310.html

======
nbpoole
Not sure why this is getting voted up so much. The author came across a report
of IE freezing/crashing, replicated it, and Microsoft fixed it. In the same
security update ([http://technet.microsoft.com/en-
us/security/bulletin/ms13-03...](http://technet.microsoft.com/en-
us/security/bulletin/ms13-037)) there are 10 other vulnerabilities described
in the same way. Why is this particular vulnerability noteworthy or
interesting, other than the fact that someone stumbled across it and
documented it before it ended up reported to Microsoft?

In fact, CVE-2013-1297 from that same security update (which I didn't know
existed until now) is _far_ more interesting from a security perspective
([http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2013-1...](http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2013-1297)).

 _Microsoft Internet Explorer 6 through 8 does not properly restrict data
access by VBScript, which allows remote attackers to perform cross-domain
reading of JSON files via a crafted web site, aka "JSON Array Information
Disclosure Vulnerability."_

Similar JSON information disclosure can be very serious for a web application.
[http://haacked.com/archive/2009/06/24/json-
hijacking.aspx](http://haacked.com/archive/2009/06/24/json-hijacking.aspx)
describes the general issue in some depth. The fact that it was possible to
use vbscript as a way to read in cross-domain JavaScript is very important
from a security perspective.

~~~
yuhong
What is unique is the original report of the bug was _public_. I was the one
who figured out that it was exploitable and sent it to MSRC.

~~~
nbpoole
Right. But I can very easily find reports of reliable ways to crash IE via
CSS:
[https://www.google.com/search?q=crash+ie+css](https://www.google.com/search?q=crash+ie+css)

I don't have a problem with your blog post. It documents how to reproduce the
issue referenced in a particular CVE. But I'm curious what value people are
deriving from reading it.

~~~
yuhong
Not all are exploitable.

~~~
nbpoole
Right. But your post shows that you can reliably get the browser to crash. It
doesn't demonstrate that the crash is exploitable, unless I'm missing
something.

~~~
yuhong
I was able to prove that it was potentially exploitable to MSRC, which is how
I got them to fix it. There are a lot of non-exploitable crashes such as null
pointer dereferences that MSRC will not consider as security bugs.

