IE Shines On Broken Code

mschaef writes "While reading Larry Osterman'a blog (He's a long time Microsoftie, having worked on products dating back to DOS 4.0), I ran across this BugTraq entry on web browser security. Basically, the story is that Michael Zalewski started feeding randomly malformed HTML into Microsoft Internet Explorer, Mozilla, Opera, Lynx, and Links and watching what happened. Bottom line: 'All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer references, memory corruption, buffer overflows, sometimes memory exhaustion; taking several minutes on average to encounter a tag they couldn't parse.' If you want to try this at home, he's also provided the tools he used in the BugTraq entry."

Because it's used to it?

[ideatrack (702667)]

There's a good phrase I can use to explain this one:

If you work in a monkey house, you expect to be pelted with shit.

What they didn't say

[by Anonymous Coward]

They didn't say that IE also started randomly installing Bonzi Buddy et al during the test, the users' credit card numbers were automagically emailed to Romania, there was an sudden increase in outbound port 25 traffic from the system, and they ended the session with about 37 momre toolbars installed then they started with.

which version of IE was it?

[jonwil (467024)]

Aparently, XPSP2 (including the new IE) was recompiled with the latest visual studio and with all the options turned on to better catch issues.

This is a blessing in disguise

[Darren Winsper (136155)]

I don't know if they still use it, but the Linux kernel developers used to use a program called "crashme" to help test kernel stability. Essentially, it generated random code and tried to execute it. Something like this for web browsers would make for a very useful procedure. Generate the code, throw it at the browser and log the code if it crashed the browser.

Re:This is a blessing in disguise

[pohl (872)]

I remember crashme, and I just checked the debian packages and anybody can "apt-get install crashme" to give it a whirl.

I'd like to second the AC's suggesting of taking these HTML test cases and constructing an apache module that creates garbage HTML like this. The result would be a great contribution all browsers.

The mozilla project did have a test that sent the browser to random pages accross the web, which exposed it to all sorts of garbaged HTML, I'm sure, but generating randomly garbaged HTML would probably be a more strenuous test.

Tried with Safari on OS X ...

[by Anonymous Coward]

Nothing crashed. I got blank pages, all the weird HTML and all, but no errors and nothing crashed. w00t.

Tested Konqueror

[unixmaster (573907)]

None of the samples in http://lcamtuf.coredump.cx/mangleme/gallery/ [coredump.cx] was able to crash Konqueror from KDE CVS Head. Heheh time to praise Khtml developers again!

Re:Tested Konqueror

[by Anonymous Coward]

http://lcamtuf.coredump.cx/mangleme/mangle.cgi

You're right, none of the samples work with Konqueror, however after doing a little testing myself with the above page it just took me about five tries to make it crash.

Bad luck? Maybe, but just try it yourself.

I've seen that before

[hwestiii (11787)]

I saw something like this (not quite, but similar) a few years ago working with Java Script.

I wasn't that experienced with it, and as a result, certain pieces of my code were syntactically incorrect. Specifically, I was using the wrong characters for array indexing; I think I was using "()" instead of "[]". I would never have known there was even a problem if I hadn't been doing side by side testing with IE and Mozilla. A page that rendered correctly in IE would always show errors in Mozilla. This made absolutely no sense to me.

It wasn't until I viewed the source generated by each browser that I discovered the problem. IE was dynamically rewriting my JavaScript, replacing the incorrect delimiters with the correct ones, whereas Mozilla was simply taking my buggy code at face value.

Re:I've seen that before

[Zarf (5735)]

I think I was using "()" instead of "[]".

MSIE was embracing and extending your new syntax. They were effectively defining their own JavaScript variant. Meaning their JavaScript was a SuperSet of the real JavaScript standard. That means you can more easily fall into the trap of writing MSIE only JavaScript and inadverdently force your clients/customers/company to adopt MSIE as your standard browser.

strategic point of view

[ragnar (3268)]

I may be a little paranoid (heck, I actually am) but I've long suspected the IE support for loose HTML was a strategic decision. Go back to the days when Netscape would render a page with a unclosed table tag as blank. IE rendered the page, and I often encountered sites that didn't work on Netscape.

It could be a coincidence, but the loose HTML support of IE led to a situation where some webmasters conclude that Netscape had poor HTML support. You can argue about standards all day long, but if one browser renders and another crashes or comes up blank there isn't much of a contest.

His examples do not really crash Firefox

[SmilingBoy (686281)]

The author gave some examples that are supposed to crash Mozilla, Opera, Links and Lynx at the following URL:

http://lcamtuf.coredump.cx/mangleme/gallery/ [coredump.cx]

I opened all the pages in tabs in Firefox 0.10.1 under Windows 2000, and Firefox did not crash. It became somewhat unresponsive, but I could still select other tabs, minimise and maximise. I could not load new pages anymore.

Can someone else test this as well, please?

And can someone tell us whether this has security implications or not?

Who's Who

[Effugas (2378)]

Ugh. Not the best written Slashdot entry.

Larry Osterman -- former Microsoft guy; someone forwarded him a post to Bugtraq.

Michael Zalewski -- absurdly brilliant [coredump.cx] security engineer out of Poland. Did the pioneering work on visualizing [wox.org] randomness [coredump.cx] of network stacks, passively identifying operating systems [coredump.cx] on networks, and way way more.

Nothing bad against Larry. But this is all Zalewski :-)

--Dan

IE Crashes On Valid HTML!

[Diplo (713399)]

Nevermind using random garbage to crash a browser, you can make IE6 crash with perfectly valid strict HTML.

Try this page [nildram.co.uk] in IE6 and then hover your pointer over the link. Crash!!!

Re:IE Crashes On Valid HTML!

[Grey Ninja (739021)]

Don't forget this one either. [neilturner.me.uk] (Mind you, this one has been fixed in XP SP2)

There is actually some truth to the matter

[grinder (825)]

Case in point.

Last week I wrote some Perl to process an mbox mail folder. I just wanted a quick and dirty way to view its contents in a web page. A couple of CPAN modules and a few dozen lines of code and thing was done. Then I started to get fancy and dealing with stuff like embedded MIME-encoded GIF images. This was pretty simple to do, but I made a mistake. Once I had the decoded GIF data lying around, I wrote it to the HTML file of the current e-mail message, rather than writing it to a seperate file and writting <img src="foo.gif"> in the HTML file.

I was viewing the results with Firefox 0.10.1. When it got to a message with an embedded GIF, with a big slodge of GIF binary data sitting in the middle of the page, Firefox either just sat there spinning its hourglass, or crashed and burned.

Then I looked at the same file with IE, and the GIF image showed up. I was puzzled for a while until I noticed that in the directory where I had created the file, no GIF files had been created. It is of course arguable that IE should not have attempted to render the GIF image from the binary data sitting in the middle of the page, but it did so without complaint. Not rendering it would also be acceptable.

Firefox, on the other hand, has a number of better alternatives to crashing or hanging. Should it display gibberish (like when you forget to set up your bz2 association correctly) or nothing, or the image? I don't know, and don't particularly care about which course of action is taken. Anything is better than crashing, especially when IE doesn't.

Anyway, I fixed the Perl code, and all is well.

The End

handling malformed data is a pretty bad idea ...

[cascadingstylesheet (140919)]

... and here's why.

With correct data (in this case, HTML), there is a specified action that is "correct". In other words, a correctly marked up table will get layed out, according to the W3C rules for laying out tables. A paragraph will get formatted as a a paragraph, etc.

With malformed markup, the "correct" thing to do is indeterminate. If every browser just takes its best guess, they will all diverge, and the behavior is wildly unpredictable. Even from version to version of the same browser, the "best guess" will change.

"So? You've just described the web!" Well, exactly, but it could have been avoided. Bad markup shouldn't render. It ain't rocket science to do (or generate, though that can be a harder problem) correct markup. If you had do it to get your pages viewed, you would. Ultimately, it wouldn't cost anymore, and would actually cost less (measure twice, cut once).

Of course, what I just wrote only really applies in a heterogenous environment ... which MS doesn't want ... fault tolerance in your own little fiefdom can make sense.

Dumb developer question

[Halo- (175936)]

Wow, what a great test tool! I do software dev for a living, and the hardest part is when a user says: "umm, I did something, and it crashed... I dunno what..." and then you can't reproduce the problem. The problem exists, but due to the complexity of software, its environment, and the subtleties between the way individuals use it, it's hard to reduce the problem down to a few variables...

A tool like this would let the average wanna be contributer find a reproducable bugs and try to fix them. Which brings me to my dumb question: Is the Mozilla gecko engine more easily built/tested than the whole of Firefox? I love FF, and wouldn't mind throwing some cycles at improving it, but the entire build process is a bit more than I really want to take on... If I could just build and unit-test the failing component I'd be more likely to try.

Anyone have pointers beyond the hacking section at MozillaZine?

Re:Security Issues

[mccalli (323026)]

Does the fact that most of the browsers crash mean that they are vunerable in some way?

Potentially.

does the fact that they do crash a good thing?

No. Never ever is it a good idea to crash on receipt of invalid data. It's up to the program to try and parse this, realise it can't do so successfully, then act ccordingly (error message, best-guess try, whatever. I prefer error message myself, but can understand those who prefer best-guess).

Cheers,
Ian

Re:Security Issues

[Trillan (597339)]

XHTML is supposed to be refused if malformed; HTML prior to 4.0 is supposed to be best-guessed. I'm not sure what the behaviour of 4.0 Transitional and 4.0 Strict is supposed to be, but I'm sure it's documented as part of the spec.

Re:Security Issues

[FireFury03 (653718)]

XHTML is supposed to be refused if malformed; HTML prior to 4.0 is supposed to be best-guessed.

This reenforces my belief that XHTML is the way forward since it reduces the code complexity of the browser:

XHTML: Try to parse - fail - give up
HTML: Try to parse - fail - Try to reconstruct - hit bug - crash

XHTML is also good because it removes the fuzzy area of what to do if the code is crap - with HTML, a web developer will write a page, won't bother to validate it and just check it works in IE. Since different browsers have different methods of fixing broken code, the results of this page are not platform independent. With XHTML, if the developer writes broken code it just plain won't work. The management who pay the web developer probably don't know anything about standards compliance and if it works in IE the developer gets paid, but if it just sits there with a parse error the developer will either have to fix it or not get paid (Good Thing).

That said, IMHO there is something to be said for a couple of additions to the XHTML spec:

1. a button on the "parse error" page which tells the browser to render it as tag soup - that way the end user can try to view the page anyway even if it's broken (whilest still being informed that it really is broken code).
2. an automatic feedback system in which the browser will post details of the parse error back to the server. Otherwise the developer may never know there's a problem (especially important with dynamically generated markup which may not be easilly validated).

Similarly, it would be really nice, IMHO, if browsers made it clear (by placing a big X on the status bar or something) when they are viewing broken *HTML* code since this would indicate to the user why the page might not look quite right and would be an indication to the management not to pay the web designer they hired since he is obviously lacking in the ability to do his job.

Re:Security Issues

[Just Some Guy (3352)]

But is that according to the people who wrote the XHTML standard, or the user who just wants to see the web page?

Just to be clear, unparseable XHTML is not XHTML. In "Matrix" terms, there is no web page. Instead, there is a string of text that may resemble XHTML to the casual observer but that doesn't really represent anything at all.

Arguing that browsers should half-support broken XHTML is like saying that a C compiler should do something whenever it encounters invalid C, since the user obviously wants to run the code and isn't interested in bowing to the pedantic demands of some irrelevant standards committee.

One is rather more important than the other in this context.

I agree completely, but I don't think it's the one that you picked.

Re:An important security sidenote

[UfoZ (680310)]

or perhaps used one of their .NET languages, rather than programming in straight C like the others

Not likely, since IE was created ages before .NET, and I don't quite think they decided to scrap and rewrite the entire parsing engine since then :)

As for the malformed HTML, it didn't crash my firefox, but I'll try again a couple of times just in case ;)

Re:An important security sidenote

[BarryNorton (778694)]

Not likely, since IE was created ages before .NET, and I don't quite think they decided to scrap and rewrite the entire parsing engine since then

Indeed. It would be interesting to know how much of it is preserved from the pre-Microsoft Mosaic code...

Re:An important security sidenote

[peterhoeg (172874)]

Go the "gallery" he mentionds is his entry and try the mozilla_die?.htm files. With Firefox 1.0PR the first one did the trick for me and crashed firefox.

Re:An important security sidenote

[bunratty (545641)]

Yep, the first mozilla_die entry crashes Mozilla 1.8a4 for me, too. Sounds like the tests are repeatable enough. Now quick, everybody rush to file bug reports and the winners can collect their $500 [mozilla.org]!

Re:An important security sidenote

[InsaneCreator (209742)]

My first instinct would be that the HTML parsing engine in Internet Explorer was written by a different team of programmers than worked on the rest of the software

I's say the same about outlook express. Most security holes in OE were due to bad "glue" between components. And if I'm not mistaken, most holes in IE are also caused by bad integration.
It sure looks like the expert programmers create components which are then bolted together by an army of "learn programming in 24 hours" drones.

Re:An important security sidenote

[jallen02 (124384)]

I think you mis-estimate how hard it is to manage projects with the complexity of Internet Explorer. Even teams of really good developers with noe one "non-expert" can be brought down by the integration trap. It can probably all be led back to the Waterfall development paradigm where you do things in huge chunks: "Requirements, Design, Implement, Integrate, Pray, Test". Each of those is done as a discreet phase. Any devleopment process still following that basic model tends to fall apart somewhere around Integrate. Even with better development paradigms such as agile development there are considerable challenges in integrating something so large as IE.

But that *IS* the point of Agile development, to ensure that every step of the way things are working toghether smoothly. The basic point is regardless of the paradigm IE is a big project with many different components requiring a high degree of integration. A key problem with many different components that are highly integrated is the fact that these components tend to "trust" each other to much. Meaning they just assume this component is friendly. If all integrated components were a little less trusting I think software as large and as complex as IE could be more secure.

This is just a guess, I don't know much about internal Microsoft culture. I have however seen security problems of this scale in projects I have cleaned up and worked on and the problems stem from the exact problems I describe. So its reasonable to assume that somewhere along the way MS has made the same mistakes everyone else does in the software world. Just because they have LOTS of smart people doesn't mean they are any better at managing software processes. Just look at what they are doing with the LongHorn requirements :)

Jeremy

Re:An important security sidenote

[dioscaido (541037)]

Your first instinct would be wrong, at least when it comes to it being built by a separate team. The fact is, as hard to believe at it is, for the past year Microsoft has put in place for every product systematic development techniques that directly target the security of an application (Threat Modeling, Secure coding techniques). Furthermore, this kind of test is standard within Microsoft (feed random inputs to all possible input locations). And once all the coding is done, the source still has to pass inspection through a security group within Microsoft! You can read about this stuff at the secure windows initiative [microsoft.com].

And this shift is working. The trend per-product is a significant reduction in security vulnerabilities. That is not to say there aren't any, that would be impossible, but if you look at the vulnerability graph for, say, Win2k Server since it's release, and win2k3 Server since it's release, there is a significant drop in the amount of vulnerabilities that are coming in since the release of the product. Furthermore, a large part of the vulnerabilities are found from within the company. The same thing can be said for most products, including IE, IIS, Office, etc... We're getting there....

Now, go off and run as LUA [asp.net], and nip this stupid spyware problem in the bud.

Re:An important security sidenote

[Erik Hollensbe (808)]

This is a simple, nearly infallible rule of detecting exploits, to the point where I even know it. :)

If you can get a program to write past the end of it's allocated memory segment, you can overwrite all sorts of fun stuff with things like shellcode and anything else you want to throw in the executable stack.

The program (I read the SF post yesterday) generates standard things that would confuse a program in HTML - Null (ASCII 0) characters, overly large integers (Opera, IIRC, brought his system to a halt with a giant colspan="" element), things that need to be checked pre-emptively.

Regardless of his "bias", this is a problem. In fact, sometimes the people with the most to gain do a great job giving the others the opportunity to gain instead. Either way, he just upped the bar for browser security, which benefits us all.

Don't just blow him off.

Re:An important security sidenote

[Erik Hollensbe (808)]

Actually, it is a large facet of security.

Are you familiar with XSS attacks? As a guy who writes web backends, I am. As a result, I have to make sure that every bit of content that comes to me and is subsequently displayed (which can get fun, especially if you have a database with 20M customers before you get started) needs to have no HTML tags, or even worse, allowable HTML tags. This can get very slow when processing a lot of content. If you have a templating language which uses different tag endings than an HTML tag, you've got another set of content to scan for. This is the reason things like mod_security were invented. Thing about a bulletin board or a "product review" system and how much content is availble to be sent straight to the database by one person and echoed right back to another.

SQL injection. While good database API's solve this, some systems don't (ahem... PHP's raw API). This is easily solved by something like DBI or PEAR's DB abstraction layer (which the name of escapes me), but once you're up to your knees in mud, it becomes a whole new nightmare. With the new mysql GRANT vulnerability (especially since, last I checked, mysql doesn't support binding at the client API level), SQL injection becomes something that can not only effect your live app, but something much more dire indeed. I won't even get into sql procedures that perform admin tasks.

The fact that IE passes a test, while other's don't, that it was made to pass, that says somethign positive about IE's security, and is not to be blown off. After all, I can inject some of that "wonderful" content right here and it might crash your browser, because there's nothing stopping me from doing it in slashdot's code. If I had the fingernail clipping of that guy's knowledge, I might be able to do something worse.

Of course, if you were running IE, you wouldn't have that problem. Do you understand now?

Re:An important security sidenote

[dioscaido (541037)]

That's certainly a good point (pre 2000).

The good news is that now people are required to know Writing Secure Code [microsoft.com], and (more recently) Threat Modelling [microsoft.com] by heart. I can tell you first hand those approaches have been adopted company wide. While Threat Modelling can be time consuming, I've personally found possible issues in code that we wouldn't have noticed without it. Plus we got other people outside our department looking at our code. All in all this is the best approach we could be taking. Microsoft is not sitting on it's ass about this issue.

Re:An important security sidenote

[Erasmus Darwin (183180)]

"My guess is this was recompiled with the new SP2 compilers?"

My understanding of the SP2 compilation changes is that existing buffer-overflows still exist and will still cause the program to crash. The difference is that overflows which previously allowed the attacker to execute arbitrary machine code will instead crash before the code is executed.

Re:An important security sidenote

[afidel (530433)]

The difference is that overflows which previously allowed the attacker to execute arbitrary machine code will instead crash before the code is executed.

Almost, it's more like they will crash and there is a near zero chance of the code being executed even by another running process because the area has been flagged as non-executable and the cpu will refuse to run anything found in that memory space.

Re:So what is "random" here?

[Kick the Donkey (681009)]

Thats the thing about randomness. You can never be sure.

Re:An important security sidenote

[Anonymous Brave Guy (457657)]

I don't see how this is a bad thing. This just means that IE does not catch some of the malformed code people use to cause havoc on the net.

But the other browsers not only didn't catch it, they actually crashed when parsing it. I'm all for compatibility and standards compliance where possible, but a crash/potential security hole is far more serious an issue than letting through some sloppy HTML. (Besides which, as a user, I find it infuriating that Mozilla/Firefox are so stuck up on perfectly standard HTML that they just don't work with some web sites that are perfectly usable in IE anyway.)

Re:An important security sidenote

[UberGeeb (574309)]

I've come across plenty of sites that either don't work at all or are broken unless you use IE. Generally, it's because the site looks at the browser's identification tag and sends crippled pages to non-IE browsers. I can only think of one site I use regularly (a web app at work) that actually doesn't work in Opera if I set it to report itself as IE.

You might make sure that the sites you're having trouble with in Firefox are actually providing the same data they're giving IE before you assume it's a problem with the browser.

Re:An important security sidenote

[Hatta (162192)]

Besides which, as a user, I find it infuriating that Mozilla/Firefox are so stuck up on perfectly standard HTML that they just don't work with some web sites that are perfectly usable in IE anyway.

As a user, I find it infuriating that people write non-standard compliant HTML that only works in one proprietary browser.

Re:An important security sidenote

[wheany (460585)]

A program must never crash because it received bad data. You always have to validate user input and there must always be sanity checks. If the browser receives malformed code, at worst it can give an error message, but it must never crash.

Crashes are always considered bugs.

Re:An important security sidenote

[CausticPuppy (82139)]

I don't see how this is a bad thing. This just means that IE does not catch some of the malformed code people use to cause havoc on the net.

Let's turn it around... if it was IE that was crashing on bad HTML, and the other browsers simply ignored it, would you be making the same argument? IMO, the slashdot headline would then be "IE Crashes on simple malformed HTML."

How is it a bad thing when other browsers refuses to read that code. Isn't that a good thing? A good example is a compiler most compilers catch overflows and don't allow you to finish compiling.

NO, no, no, no!! It is a BAD thing, because at the very minimum it's a sign of non-existent exception handling. You should never get a runtime error from bad input. In some cases, you create an infinite loop-- is there any excuse for that?
And considering the nature of the crashes (one of the links caused Firefox 1.0PR to die with a windows memory error, shutting down ALL instances of firefox) this means that some memory was accessed that shouldn't have been, which means that you could conceivably put executable code into memory simply by constructing the right "invalid" HTML. Lo and behold, you now have a buffer overflow exploit for Firefox. And we're telling all the IE users on Windows to switch to Firefox!

I'm a firefox user, and there's no way I'm switching back to IE, but this MUST be fixed. Now that it's well known, I'm sure there will be a patch for Firefox fairly soon, though I have a feeling the code changes will be somewhat involved.

Re:An important security sidenote

[by Anonymous Coward]

Idiot. Crashing = denial of service attack.

*Your* first lesson in computer security is, and write this a thousand time: *crashing* on malicious code is *BAD*, whereas *recovering* from the situation and responding with an *error message* is *GOOD*.

Re:An important security sidenote

[by Anonymous Coward]

*crashing* on malicious code is *GOOD*, while *running* malicious code is *BAD*.

Holy crap! How absolutely untrue. If your program is crashing, you've lost all control. If you still had control, it wouldn't have crashed: it would have printed an error message.

Once you've lost control of your program, all bets are off. The only difference between crashing and taking control is exactly WHAT bad data you feed into the program. These browsers simply crashed because RANDOM data was being fed in. That random data could be changed to carefully-crafted executable code, and BAM, your harmless "crash" is a security exploit.

Re:This is known

[Mr_Silver (213637)]

It's quite known that broken code runs quite well on IE.

Great, but then it also encourages people to write bad code - see all that code with broken tables and a million tags that remain unclosed?

You're confusing two seperate things here:

1. Broken HTML which doesn't render properly.
2. Broken HTML that causes corruptions, crashes and the potential for security issues.

This guy has been testing for (2) and not (1). Bad HTML should never cause crashes, memory corruption and buffer overflows. Period.

Finally, you can't go blaming the users for bad input. One of the golden rules of software design is that all software should either reject or handle gracefully bad input. Crashing is not graceful.

Re:This is known

[StrawberryFrog (67065)]

No. I don't care how bad the input is, if my program reads the input and throws an access violation, then it is my job to fix my program, test the input more, assume less about it or whatever, until my program does something more sensible and less dangerous with the input - like giving up with an error message or even an assertion failure.

I repeat: code that crashes with a null pointer error is wrong. End of story.

Re:What about VALID html?

[tomstdenis (446163)]

This isn' insightful at all. First, you'll be the first person to bitch when a mozilla virus comes out.

Second, "crashing when invalid" as you and many others are alluding to is NOT a good idea. What if you had another tab open with email/urls/info you needed?

What if other software took this route? Invalid operands to open()? Time to crash. Invalid socket used in send()? Time to crash. Segfault in application? Kill the kernel processes!

It's a problem, it has to be fixed and there aren't two ways about it.

Tom

Re:Excellent!

[metlin (258108)]

Actually, the code does not seem that great.

Here's the mozilla_die1.html code

<HTML><INPUT AAAAAAAAAA>

And the mozilla_die2.html code

<HTML>
<HEAD>
<MARQUEE>
<TABLE>
<MARQUEE HEIGHT=100000000>
<MARQUEE HEIGHT=100000000>
<MARQUEE HEIGHT=100000000>
<MARQUEE HEIGHT=100000000>
<MARQUEE HEIGHT=100000000>
<MARQUEE HEIGHT=100000000>
<MARQUEE HEIGHT=100000000>
<MARQUEE HEIGHT=100000000>
<MARQUEE HEIGHT=100000000>
<MARQUEE HEIGHT=100000000>
<MARQUEE HEIGHT=100000000>
<TBODY>
Attack of the marquees!

It looks like he came across places where either boundary checks or type checks are not in place.

Besides, he's had access to almost all the browswer code, hasn't he?

I mean, these bugs are bad, but I'm sure if I had access to IE's code I could come up with a zillion bugs.

Re:Excellent!

[eht (8912)]

One guy with ten minutes came up with ways to crash Mozilla, Lynx, and Links, yet hundreds of thousands of programmers with years of access to the same code haven't fixed these same bugs.

Re:Excellent!

[EMN13 (11493)]

As he stated in the article; the crashes are sometimes platform-specific.

I've tried this in 1.0PR firefox on win32, and the crashes do occur there.

I've gotta say - this really looks like a great tool; a simple and effective way of finding some bugs!

--Eamon

Re:This Is to MS's Clear Business Advantage...

[nmg196 (184961)]

> all the error correction code helps to keep IE bloated and slow.

Bloated compared to what?!

Slow compared to what?

IE has quite a small footprint for a web browser. I've opened this page in IE and Firefox. Currently IE is using 19Mb of ram and Firefox is using 28Mb. In fact, currently the top three processes using the most RAM on my machine are all open source products (the top two being Firefox and the enormously memory hungry Thunderbird which is currently using 58mb of RAM). All the commercial software comes later.

IE also tends to render pages faster than Firefox under most circumstances (except where Linux advocate article authors have carefully crafted CSS heavy pages which cause IE to slow down a bit).

Re:so?

[Maestro4k (707634)]

• So what? I have never had a problem with my Firefox crashing (ever). Sure, if you try to make something crash, it eventually will. Considering how much security holes IE has, IE could be the missing link, and I still wouldnt use it.

Just because you haven't crashed it doesn't mean it's not happening. I switched my Mom over to Firefox for her computer's safety about 2 months back. She's still using it, but it crashes for her regularly and it's becoming a big frustration for her. As she put it "why does Firefox crash so much, IE never crashed on me?" If Mozilla/Firefox/Opera/etc. hope to continue gaining ground on IE, then this type of thing needs to be addressed.

As I see it the major problem that Mozilla/Firefox has is the vast majority of those using it (and most definitely the vast majority bothering to report bugs/crashes) are techies. Why is that a problem? Well we probably don't spend our time to going to "silly" E-card sites and joke sites that use bad flash/html. Sure we can dismiss those sites as not important, because to us they aren't, but to a large portion of the average users out there they're one of the most important things they do in a browser because to them they're fun.

So I'm betting Mozilla/Firefox actually crashes regularly on non-techies simply because they visit sites that most techies don't bother to test the browser on.