('binary' encoding is not supported, stored as-is) I have found a number of errors in JScript in IE 5 & 6 which can kill all instances of IE on windows 9x & 2000 and can make a windows 9x system fatally instable. Whether this bug is exploitable to gain access on another system is yet unknown because I lack the expertise to find out. The errors will occur when a page containing malicious JScript code is opened in IE. (Active scripting must be turned on for this to work). A number of different versions of the bug result in different stack faults and invalid page faults in four different DLL's: - SHLWAPI.DLL Shell Light-weight Utility Library (MS Internet Explorer) - MSHTML.DLL Microsoft (R) HTML Viewer (MS Internet Explorer) - JSCRIPT.DLL Microsoft (R) JScript (IE or Windows ?) - KERNEL32.DLL Win32 Kernel core component (MS Windows) Crashing KERNEL32.DLL will bring down the win 9x systems. The general form of the code is: <OBJECT src="invalid resource" onError="this.src='invalid resource';"> e.g. <IMG src="::" onError="this.src='::';"> Probable cause is the infinite loop that this produces. Further details about the bugs can be found on my website, http://spoor12.edup.tudelft.nl/skylined. (Which is under constant revision and construction so don't be surprised if it is somewhat buggie ;)
This archive was generated by hypermail 2b30 : Fri Dec 14 2001 - 08:46:53 PST