Bugtraq mailing list archives
DoS in Multiple IE Versions (Self-Referenced Directives)
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Sat, 20 Apr 2002 10:48:43 -0500
The Flaw OBJECT elements are used for embedded OLE in HTML documents. A flaw in the way Microsoft Internet Explorer processes this directive allows a page that causes a loop in object dependancy, or loads itself in a certain manner in an OBJECT, to completely crash Internet Explorer. The Exploit To date, I have discovered 4 points of exploitation to crash the browser. My favorite example is this one: ---- [ CRASH.HTM ] ---- <OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT> ---- [ CRASH.HTM ] ---- IE dies inside shdocvw.dll with a call stack overflow. Fixes Set "Run ActiveX Controls and Plugins" to disabled in ALL zones. An XML Island DSO may even be able to get past this, however. I would expect this bug to fixed in a future IE service pack, though there's been no confirmation/details of that from Microsoft.
Current thread:
- DoS in Multiple IE Versions (Self-Referenced Directives) Matthew Murphy (Apr 20)