JScript bugs in Internet Explorer 5 & 6 create stack faults & invalid page faults in various DLL's.

[<SkyLined () mail com>]

I have found a number of errors in JScript in IE 5 & 6 
which can kill all instances of IE on windows 9x & 
2000 and can make a windows 9x system fatally 
instable. Whether this bug is exploitable to gain 
access on another system is yet unknown because I 
lack the expertise to find out. The errors will occur 
when a page containing malicious JScript code is 
opened in IE. (Active scripting must be turned on for 
this to work).
A number of different versions of the bug result in 
different stack faults and invalid page faults in four 
different DLL's: 
- SHLWAPI.DLL Shell Light-weight Utility Library (MS 
Internet Explorer)
- MSHTML.DLL Microsoft (R) HTML Viewer (MS 
Internet Explorer)
- JSCRIPT.DLL Microsoft (R) JScript (IE or 
Windows ?)
- KERNEL32.DLL Win32 Kernel core component 
(MS Windows)
Crashing KERNEL32.DLL will bring down the win 9x 
systems.
The general form of the code is:
&ltOBJECT src="invalid resource" 
onError="this.src='invalid resource';"&gt
e.g. &ltIMG src="::" onError="this.src='::';"&gt
Probable cause is the infinite loop that this produces.
Further details about the bugs can be found on my 
website, http://spoor12.edup.tudelft.nl/skylined. 
(Which is under constant revision and construction 
so don't be surprised if it is somewhat buggie ;)