[NT] Internet Explorer XML and IMG Elements DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Internet Explorer XML and IMG Elements DoS
------------------------------------------------------------------------


SUMMARY

Internet Explorer vulnerable to a denial of service whenever it handles a
specially crafted XML or IMG element. Both of these are caused by null
pointer dereferences.

DETAILS

Vulnerable Systems:
* Microsoft Internet Explorer version 5
* Microsoft Internet Explorer version 6

Tested Combinations:
* Microsoft Windows XP Professional with Service Pack 2 and IE
6.0.2900.2180.xpsp_sp2_gdr.050301-1519
* Microsoft Windows Server 2003 with IE 6.0.2790.0
* Microsoft Windows 2000 Advanced Server 5.00.2195 with Service Pack 4
and IE 5.00.3700.1000

Microsoft(R) Internet Explorer 5 and Microsoft(R) Internet Explorer 6 are
vulnerable to a Denial of Service. So far all combinations of OS's and IE
versions I have tested are vulnerable. The exploit is triggered by bad
HTML data combined with a bad XML block, this HTML code can by hidden
inside a webpage etc.

Proof of Concept:
Any HTML page that contain the following HTML code will cause the DoS:
<table><tr><td><IMG align=left>X X X<?xml:namespace prefix=v ><v:X
style="HEIGHT:1"></td></tr></table>


ADDITIONAL INFORMATION

The information has been provided by
<mailto:inge.henriksen@xxxxxxxxxxxxxxx> Inge Henriksen.
The original article can be found at:
<http://ingehenriksen.blogspot.com/> http://ingehenriksen.blogspot.com/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages