Denial of Service in Microsoft Internet Explorer 6.0 SP1

Reported May 17, 2004, by Mike Mauler


  • Microsoft Internet Explorer (IE) 6.0 Service Pack 1 (SP1)

A vulnerability in IE 6.0 SP1 could result in a Denial of Service (DoS) condition. By using a malformed HTML page containing JavaScript code with a specially crafted META tag, a potential attacker could cause IE to terminate with an access violation.

The discoverer posted the following code as proof of concept:

The following script code will cause Internet Explorer to crash when trying to parse the META tag contained within. The problem stems from a bug in the MSHTML library (mshtml.dll). Below is the script code that causes the crash:

<scr!pt type="text/javascript">
        Wnd = window.createPopup();
        Wnd.document.body.innerHTML='<meta http-equiv="imagetoolbar" content="no">';

The effect of the META tag is to cause an access violation within mshtml.dll, however not exploitable. The problematic piece of code is shown below:

636D54AF    8B48 2C         MOV     ECX, \[EAX+2C\]
EAX = 0, Bad read of address 0x0000002C

Microsoft hasn't released a fix or bulletin that addresses this vulnerability.

Discovered by Mike Mauler.


TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.