Microsoft Internet Explorer 4.0(1) (3.02 is reported not to be vulnerable) under win95, win98 and NT can be crashed and eventually made execute arbitrary code with a little help from the tag. The following: opens a dialog box and closes IE 4.0. It seems that the long file extension causes stack overrun. The stack is smashed - full with our values, EIP is also ours and CS=SS. So a string could be constructed, executing code at the client's machine. Solution: Microsoft has issued a patch at their site - "Embed issue". To try this: http://www.geocities.com/ResearchTriangle/1711/msie.html Georgi Guninski http://www.geocities.com/ResearchTriangle/1711 -----------------------cut here and save as crashmsie.html--------------------- Trying to crash IE 4.71 40 80 160 170 180 190 200