DoS in Multiple IE Versions (Self-Referenced Directives)

["Matthew Murphy" <mattmurphy () kc rr com>]

The Flaw

    OBJECT elements are used for embedded OLE in HTML documents.  A flaw in
the way Microsoft Internet Explorer processes this directive allows a page
that causes a loop in object dependancy, or loads itself in a certain manner
in an OBJECT, to completely crash Internet Explorer.

The Exploit

    To date, I have discovered 4 points of exploitation to crash the
browser.  My favorite example is this one:

---- [ CRASH.HTM ] ----
<OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT>
---- [ CRASH.HTM ] ----

IE dies inside shdocvw.dll with a call stack overflow.

Fixes

    Set "Run ActiveX Controls and Plugins" to disabled in ALL zones.  An XML
Island DSO may even be able to get past this, however.  I would expect this
bug to fixed in a future IE service pack, though there's been no
confirmation/details of that from Microsoft.