Stack Overflow in MSHTML.DLL



Systems affected:

Any program using MSHTML.DLL for HTML parsing (Internet Explorer,

Outlook/Outlook Express and other HTML-enabled emailreaders).

Reliably tested on IE4.0 and higher on any Windows system, with any servicepacks

and patches.

Older versions of MSHTML.DLL may be affected too, but remains untested.



Risk: Low/Medium



Description:

MSHTML.DLL crashes with a Stack Overflow from simple scripting.



Details:

The bug is only experienced when dealing with multiple window objects, where one

is receiving data. To reproduce the bug, create a JScript object, set a property

on the object from the window object receiving data, delete the object and

create it again.

No exploitable buffer overflows have been found so far.



Code:



------------InstantCrash.html-----------------





----------------------------------------------



Workaround:

Disable Active Scripting.



Vendor status:

Microsoft was contacted on 4 December 2000.

Bug is considered to be a code quality bug, and will be adressed in a future SP

for IE.



--

Thor Larholm