[ SOURCE: http://www.secureroot.com/security/advisories/9795713053.html ] Stack Overflow in MSHTML.DLL Systems affected: Any program using MSHTML.DLL for HTML parsing (Internet Explorer, Outlook/Outlook Express and other HTML-enabled emailreaders). Reliably tested on IE4.0 and higher on any Windows system, with any servicepacks and patches. Older versions of MSHTML.DLL may be affected too, but remains untested. Risk: Low/Medium Description: MSHTML.DLL crashes with a Stack Overflow from simple scripting. Details: The bug is only experienced when dealing with multiple window objects, where one is receiving data. To reproduce the bug, create a JScript object, set a property on the object from the window object receiving data, delete the object and create it again. No exploitable buffer overflows have been found so far. Code: ------------InstantCrash.html----------------- ---------------------------------------------- Workaround: Disable Active Scripting. Vendor status: Microsoft was contacted on 4 December 2000. Bug is considered to be a code quality bug, and will be adressed in a future SP for IE. -- Thor Larholm