COMMAND

    MSHTML.DLL

SYSTEMS AFFECTED

    Internet Explorer

PROBLEM

    Thor Larholm found  following.  Any  program using MSHTML.DLL  for
    HTML parsing (Internet Explorer, Outlook/Outlook Express and other
    HTML-enabled emailreaders).  Reliably  tested on IE4.0 and  higher
    on any Windows system, with  any servicepacks and patches.   Older
    versions of MSHTML.DLL may be affected too, but remains untested.

    The  bug  is  only  experienced  when dealing with multiple window
    objects,  where  one  is  receiving  data.   To reproduce the bug,
    create a  JScript object,  set a  property on  the object from the
    window  object  receiving  data,  delete  the object and create it
    again.  No exploitable buffer overflows have been found so far.

    Code:

    <iframe id=test style="display:none"></iframe>
    <script>
    Larholm = {}; // Object literal
    test.document.open(); // Stream data
    test.document.write("<s"+"cript>top.Larholm.test=0</s"+"cript>");
    delete Larholm;
    Larholm = {}; // Crash
    </script>

SOLUTION

    Disable Active Scripting.   Microsoft was contacted on  4 December
    2000.  Bug  is considered to  be a code  quality bug, and  will be
    adressed in a future SP for IE.