Vulnerability Note VU#774338

Microsoft Internet Explorer DHTML objects contain a race condition

Original Release date: 12 Apr 2005 | Last revised: 18 Aug 2005


A race condition in the way that Internet Explorer handles DHTML objects may allow a remote attacker to execute arbitrary code on a vulnerable system.


According to Microsoft:

    Dynamic HTML (DHTML) is built on an object model that extends the traditional static HTML document which enables Web authors to create more engaging and interactive Web pages.

Microsoft Internet Explorer contains a vulnerability in the way that it handles DHTML Objects. According to MS05-020:
    A race condition could occur in Internet Explorer when it processes DHTML objects.
The race condition occurs when appendChild is used to append an element in one window to an element in another.

For more information please see MS05-020.

Please note that exploit code for this vulnerability is publicly available.


By convincing a user to view an HTML document (e.g., a web page or HTML email message), an attacker could execute arbitrary commands or code with the privileges of the user. The attacker could take any action as the user. If the user has administrative privileges, the attacker could take complete control of the user's system.


Apply a patch
Apply a patch as described in Microsoft Security Bulletin MS05-020. Please also note that Microsoft is actively deploying the patches for this vulnerability via Windows Update.

Disable Active scripting and ActiveX controls

To protect against this and other IE vulnerabilities, consider disabling Active scripting and ActiveX controls in the Internet Zone as described in the Malicious Web Scripts FAQ. Consider disabling Active scripting and ActiveX controls in the Local Machine Zone. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone and 315933 for information about displaying the Local Machine Zone (My Computer security zone) on the Security tab in the Internet Options dialog box.

Note that disabling Active scripting and ActiveX controls in the Internet Zone will reduce the functionality of some web sites. Disabling these features in the Local Machine Zone will reduce the functionality of some programs, including the Help and Support Center in Windows XP.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-12 Apr 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was publicly reported by Microsoft who credits Berend-Jan Wever working with iDEFENSE.

This document was written by Jeff Gennari and Will Dormann.

Other Information

  • CVE IDs: CAN-2005-0553
  • Date Public: 12 Apr 2005
  • Date First Published: 12 Apr 2005
  • Date Last Updated: 18 Aug 2005
  • Severity Metric: 21.80
  • Document Revision: 31


If you have feedback, comments, or additional information about this vulnerability, please send us email.