Issue with Replace function of VBScript engine, introduced by March Security patches

Issue #11665044

Details

Author
James B.
Created
Apr 14, 2017
Privacy
This issue is public.
Found in
  • Internet Explorer
Reports
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

I have opened a support ticket with Microsoft regarding this issue, but they have asked me to cross-post it here. We are requesting a patch to the VBScript engine to correct the issue. This Replace function worked properly for decades and started breaking our applications after the March 2017 patches.

With the March 2017 security patches, an issue has been introduced with the Replace function of the VBScript engine. This issue affects all forms of VBScript execution. It affects VBScript running in IE (with compatibility mode of 10 or lower), running in the Windows Script Host, or running in IIS (classic asp).

The issue occurs when you send a string containing a null character (hex 00) into the Replace function. The function behaves erratically, apparently pulling data from random locations in memory or sometimes failing to run at all. If you run a sample script multiple times, the function may return different results each time.

We have reproduced this issue on all of the operating systems we tried. We tried this on Windows 8.1, Windows 10, Window 2008 R2, and Windows 2012 R2. In each case, uninstalling the March 2017 patches fixes the issue.

I have attached an html file, vbs file, and asp file. They can all be used to demonstrate the issue.

Using the vbs file, I created some output attachments. The goodoutput.txt is what the output was before the March 2017 patches are intalled. The four badoutput attachments show different results when running it with the March 2017 patches installed.

Attachments

Comments and activity

  • Changed Steps to Reproduce

    Changed Steps to Reproduce

  • Microsoft Edge Team

    Changed Assigned To to “James M.”

    Changed Assigned To to “Saty B.”

  • I didn’t receive any notification, but testing shows that this was fixed with the May patches.

  • Microsoft Edge Team

    Changed Status

  • Hello,

    Thank you for providing this information about the issue. We have confirmed the problem, and we are working on a solution for a future build of Edge. We are presently tracking this issue as a duplicate of an existing internal bug report. We look forward to additional feedback you may have on how we can improve Microsoft Edge.

    Best Wishes,
    The MS Edge Team

You need to sign in to your Microsoft account to add a comment.

Sign in