Reported May 17, 2004, by Mike Mauler
The discoverer posted the following code as proof of concept:
The following script code will cause Internet Explorer to crash when trying to parse the META tag contained within. The problem stems from a bug in the MSHTML library (mshtml.dll). Below is the script code that causes the crash:
Wnd = window.createPopup();
Wnd.document.body.innerHTML='<meta http-equiv="imagetoolbar" content="no">';
The effect of the META tag is to cause an access violation within mshtml.dll, however not exploitable. The problematic piece of code is shown below:
636D54AF 8B48 2C MOV ECX, \[EAX+2C\]
EAX = 0, Bad read of address 0x0000002C
Microsoft hasn't released a fix or bulletin that addresses this vulnerability.
Discovered by Mike Mauler.