73
vote
update: I got a couple of questions from readers about this find, and they are correct. Sorry guys, I did not verify my results and it seems that it was disclosed before by various bug hunters which I did not know about. The most likely outcome is null pointer dereference resulting in a crash only, heapspraying is not likely to work here, so I update my article accordingly. Which means I really got rusty and forgot how difficult and deceiving browser hacking really is, since a lot is going on where verification is almost 90% of the exploit writing. read more »
