In association with heise online

Internet Explorer - Execution of any programs via onload

In May 2005, Benjamin Tobias Franz pointed out that Web pages that use the JavaScript command onload() in the body tag may crash the Microsoft browser. In November, English security experts documented that a Web page may also infiltrate and execute code through this problem. While their demo only launched the Windows calculator, Web sites can, for instance, smuggle in the Trojan Win32/Delf.DH, which adds itself as file KVG.exe or keks.exe to the autorun folder and downloads other malware.


This demo "only" crashes Internet Explorer. If your browser crashes when "test" is clicked, a Web site may, however, also be able to install malware on your system. If your browser does not crash, the demo did not work properly.



In the MS05-054 Microsoft has published a patch to remedy this vulnerability.

To protect yourself, you can disable active scripting in the security settings, but this means that many Web pages will not work properly any more. The Internet Explorer is the only browser affected by this problem.


  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit