A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to cause a denial of service. This flaw is due to a NULL pointer dereference error when appending a "frameset" element to a "table" object via the "appendChild()" method, which could be exploited by attackers to crash a vulnerable browser by tricking a user into visiting a malicious web page.

Affected Products

Microsoft Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
Microsoft Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition

Solution

VUPEN Security is not aware of any vendor-supplied patch.

References

http://www.vupen.com/english/advisories/2006/2701
http://browserfun.blogspot.com/2006/07/mobb-7-tableframeset.html

Credits

Vulnerability reported by Aviv Raff

Changelog

2006-07-07 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.