First off, I am not sure why Firefox 3 crashes. So I am going to speculate on this obvious stability issue a bit here. When I create an embedded object with a mime-type set to application/x-mplayer2, Firefox 3 raises a plugin warning. Doing this 10 consecutive times, Firefox instantly crashes. Now, my hunch is that in Firefox they've build in some protection against malicious plugins being sourced from remote locations. Sounds fair enough, because a plugin should reside at the owners website, or at a known plugin page like Microsoft or Adobe. So without the mime-type, Firefox just prompts that it needs the Media Player plugin, which in term I do not have in Firefox. The difference is the mime-type that I set for the application I want to embed. This also sparked my new interest in mime-type fuzzing.

Proof of concept:

<script>


 for(i=0;i<11;++i){


 document.write('<embed src="" pluginspage="file://" type="application/x-mplayer2">');


 }



</script>

My guess is that it happens around line 6522 of the nsPluginHostlImp.ccp where nsresult rv is already NS_OK; while we did not press the confirmation button on a second run[1]

Internet Explorer ActiveX crash.

ActiveX is fun. I have been fuzzing ActiveX lately in regard to my new ActiveX fuzzer, and believe me there is wealth to be found. I won't share it all yet, but here is a good example. This classid is a very old Direct 3D ActiveX HTML object which surprisingly Internet Explorer still supports. I have tested it on MSIE 7 and MSIE 8 beta 1. I did not do any stacktraces, but it looks like that fm20.dll is the culprit here, that should be the Microsoft Forms ActiveX class[2]. The reason that the below pOc crashes, seems to be the w/h size of the object in combination with the parameters.

<OBJECT CLASSID="CLSID:978C9E23-D4B0-11CE-BF2D-00AA003F40D0" STYLE="WIDTH:33333;HEIGHT:33333;">
 <PARAM NAME="ForeColor" VALUE=0xffffff>
 <PARAM NAME="BackColor" VALUE=0xffffff>
 <PARAM NAME="VariousPropertyBits" VALUE=0xffffff>

</OBJECT>

[1] http://mxr.mozilla.org/firefox/source/modules/plugin/base/src/nsPluginHostImpl.cpp#6522
[2] http://support.microsoft.com/kb/224305
source: OWASP News