The Flaw
OBJECT elements are used for embedded OLE in HTML documents. A flaw in
the way Microsoft Internet Explorer processes this directive allows a page
that causes a loop in object dependancy, or loads itself in a certain manner
in an OBJECT, to completely crash Internet Explorer.
The Exploit
To date, I have discovered 4 points of exploitation to crash the
browser. My favorite example is this one:
---- [ CRASH.HTM ] ----
<OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT>
---- [ CRASH.HTM ] ----
IE dies inside shdocvw.dll with a call stack overflow.
Fixes
Set "Run ActiveX Controls and Plugins" to disabled in ALL zones. An XML
Island DSO may even be able to get past this, however. I would expect this
bug to fixed in a future IE service pack, though there's been no
confirmation/details of that from Microsoft.
