Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)

From: Benjamin Tobias Franz (0-1-2-3_at_gmx.de)
Date: 05/28/05

Next message: Benjamin Tobias Franz: "Microsoft Internet Explorer - Crash on processing embedded files with endless loop (05/28/2005)"

Previous message: Benjamin Tobias Franz: "Microsoft Internet Explorer - Crash on adding sites to restricted zone (05/28/2005)"
Next in thread: - k -: "Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)"
Maybe reply: - k -: "Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)"
Reply: Benton Lam: "Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <bugtraq@securityfocus.com>
Date: Sat, 28 May 2005 16:24:26 +0200

Microsoft Internet Explorer - Crash on JavaScript "window()"-calling
(05/28/2005)

Description:
There is a bug in Microsoft Internet Explorer, which causes a crash in it.
The bug occurs, because Microsoft Internet Explorer can't handle a call to a
JavaScript-function with the name of the "window"-object.
The bug was fixed in an earlier version. But it works again.

Affected software:
Microsoft Internet Explorer

Workaround:
Deactivate "Active Scripting" in the IE options menu.

Proof-of-Concept exploit:
<body onLoad="window()">

Date of discovery:
11. September 2003

Tested software:
Microsoft Internet Explorer 6 SP2 (6.0.2900.2180.xpsp_sp2_gdr.050301-1519)
on a fully patched Windows XP SP2 system.

DLL versions:
MSHTML.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
BROWSEUI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
SHDOCVW.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
SHLWAPI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
URLMON.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
WININET.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)

Regards,

Benjamin Tobias Franz
Germany

Next message: Benjamin Tobias Franz: "Microsoft Internet Explorer - Crash on processing embedded files with endless loop (05/28/2005)"

Previous message: Benjamin Tobias Franz: "Microsoft Internet Explorer - Crash on adding sites to restricted zone (05/28/2005)"
Next in thread: - k -: "Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)"
Maybe reply: - k -: "Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)"
Reply: Benton Lam: "Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NT] Microsoft IE Recursive Scripting, Embedded Files, window() and Restricted Sites DoS
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Internet Explorer, exploiting these vulnerabilities allows ... malicious attacker to crash a vulnerable browser. ... The bug occurs, ...
(Securiteam)
Re: New URL spoofing bug in Microsoft Internet Explorer
... a bug or an exploit really. ... > the status bar. ... I have made a quick page that hosts both "exploits" here as HTML: ... >> New URL spoofing bug in Microsoft Internet Explorer ...
(Bugtraq)
RE: Microsoft Internet Explorer - Crash on mouse button click
... the bug is perfectly reproducible. ... Microsoft Internet Explorer - Crash on mouse button click ... Re-visiting the PoC page doesn't reproduce the crash. ...
(Bugtraq)
Microsoft Internet Explorer - Crash on adding sites to restricted zone (05/28/2005)
... Microsoft Internet Explorer - Crash on adding sites to restricted zone ... The bug occurs, because Microsoft Internet Explorer can't handle adding of ...
(Bugtraq)
Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)
... Microsoft Internet Explorer - Crash on JavaScript ... > There is a bug in Microsoft Internet Explorer, which causes a crash in it. ...
(Bugtraq)