Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)

From: Benjamin Tobias Franz (0-1-2-3_at_gmx.de)
Date: 05/28/05

  • Next message: Benjamin Tobias Franz: "Microsoft Internet Explorer - Crash on processing embedded files with endless loop (05/28/2005)"
    To: <bugtraq@securityfocus.com>
    Date: Sat, 28 May 2005 16:24:26 +0200
    
    

    Microsoft Internet Explorer - Crash on JavaScript "window()"-calling
    (05/28/2005)

    Description:
    There is a bug in Microsoft Internet Explorer, which causes a crash in it.
    The bug occurs, because Microsoft Internet Explorer can't handle a call to a
    JavaScript-function with the name of the "window"-object.
    The bug was fixed in an earlier version. But it works again.

    Affected software:
    Microsoft Internet Explorer

    Workaround:
    Deactivate "Active Scripting" in the IE options menu.

    Proof-of-Concept exploit:
    <body onLoad="window()">

    Date of discovery:
    11. September 2003

    Tested software:
    Microsoft Internet Explorer 6 SP2 (6.0.2900.2180.xpsp_sp2_gdr.050301-1519)
    on a fully patched Windows XP SP2 system.

    DLL versions:
    MSHTML.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
    BROWSEUI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
    SHDOCVW.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
    SHLWAPI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
    URLMON.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
    WININET.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)

    Regards,

    Benjamin Tobias Franz
    Germany


  • Next message: Benjamin Tobias Franz: "Microsoft Internet Explorer - Crash on processing embedded files with endless loop (05/28/2005)"

    Relevant Pages