A .NET class bug that can hang a machine instantly

[Walt Smith <walt () vectiva com>]

I posted the following information to a couple of Microsoft news groups in the last couple of days with no response, so 
I thought I would post it here perhaps to encourage the examination of this .NET class, which I believe is vulnerable 
to exploits because of quality problems in the code.  I believe the following bug could easily be used in an exploit to 
crash any Windows machine that is running .NET 1.1 in Windows XP.  The bug is basically a flaw in the XMLTextReader 
class of .NET that locks the machine up so badly that it can only be shutdown with the power switch.  I do not have an 
ASP.NET environment in which to test it, so I would be interested to know if it has any effect there that is similar to 
C# .NET.  The bug can be reproduced in the following manner using the Visual Studio 7 .NET C# compiler:

1) Create a simple C# Windows Application Project and add a form 
to it.  Add System.XML to the namespaces of the project.
2) Add a ListBox control to the form.  (name it lbUsers for this code)
3) Add the following code to the OnLoad event of the form:

protected override void OnLoad(EventArgs e) 
{ 
   XmlTextReader xmlConfigFile; 

   string filename = Application.StartupPath 
+ "\\test.vtx"; 
   xmlConfigFile = new XmlTextReader(filename); 
          
   while(xmlConfigFile.Read()) 
   { 
     if(xmlConfigFile.NodeType == XmlNodeType.Element) 
     { 
        if(xmlConfigFile.Name == "User") 
        { 
          if(xmlConfigFile.HasAttributes) 
          { 
             while(xmlConfigFile.MoveToNextAttribute()) 
             { 
               if(xmlConfigFile.Name == "Name") 
                  lbUsers.Items.Add
(xmlConfigFile.Value);       
             } 
           } 
        } 
      } 
   } 
   lbUsers.Refresh(); 
   base.OnLoad (e); 
} 

4) Place the following XML File in the application 
directory for the project (the /debug directory).  Name 
the file test.vtx

<?xml version="1.0" encoding="UTF-8" ?> 
<ConfigData> 
   <UserInfo> 
      <Users> 
         <User Name="AUDREY"> 
         </User> 
         <User Name="WESLEY"> 
         </User> 
         <User Name="DADDY"> 
         </User> 
      </Users> 
   </UserInfo> 
</ConfigData> 


5)  DO NOT PLACE any breakpoints in the code.
6)  Use the F5 key (Debug/Run) to execute the code.

Result:  The machine will hang.  The only choice is the 
power switch.  CTRL-ALT-DEL is ineffective.

Other information:
a)  If you execute this code from a Button.Click event on 
the form, IT WORKS JUST FINE.
b)  If you comment out all of the code inside the while 
loop in the function, the machine will still hang.
c)  If you move the base class OnLoad above the while 
loop, the code will still hang.
d)  If you put this code in the OnActivate function of the 
form, the code will still hang.