Vulnerability

    IE

Affected

    IE 5.x, 6Beta

Description

    Elie  Aka  Lupin  Bursztein  found  following.   By  putting  this
    malformed link on a web page a malicious user could crash all  the
    IE windows.  It  also work by passing  the link directly into  the
    address field of IE.

    The following url Crash IE:

        ftp://whatever//.#./

    First it doesn't work  with http:// .   We could also notify  that
    when we put this link in a  web page and we select it and  trie to
    copy   the   link   we   get   "ftp://whatever//#./"   instead  of
    "ftp://whatever//.#./" .   Of course  "ftp://whatever//#./"  crash
    IE as well...  It is the  same for the  status bar: we  could read
    "ftp://whatever//#./" instead of "ftp://whatever//.#./" .  Finally
    if you tape very  slowly in the address  field this url, It  crash
    also IE, That's why i suppose that IE 4 is not vulnerable to this.

    It's  a  call  of  msieftp.dll  who  cause  the  crash.   Elie has
    determine  this  by  using  a  debugger according to the following
    code:

        7120B8D3 push dword ptr [ebp+14h]
        7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash
        7120B8DC cmp byte ptr [eax],0
        7120B8DF jne 7120B93A
        7120B8E1 lea eax,[ebp+8]
        7120B8E4 push eax
        <--snipe -->
        7120B93A mov eax,edi
        7120B93C pop edi
        7120B93D pop esi
        7120B93E leave
        7120B93F ret 14h
        7120B942 push ebp
        7120B943 mov ebp,esp

    It doesn't seems to  been exploitable to me,  but may be you  will
    find something.

Solution

    Microsoft has been notice during the week and they have told  that
    the bug will be fix in the next Service pack.