HTML Rendering Crashes IE 1000
SlimySlimy writes "According to this article on Secunia, a new IE exploit was found that crashes almost any version of Internet Explorer past 4.0 with just 5 lines of plain HTML code (no JavaScript, ActiveX, etc.). If you're very brave, you can test/crash your IE by going here." There's also a note on SecurityFocus.
Re:You're shitting me. (Score:2, Insightful)
if (inputType == crash)
{
weReallyRock();
}
The code should have had a huge #ifdef _DEBUG in front of it or something to prevent a crash.
Re:MSIE 5.1.5 (4719) for MacOS 9 is NOT affected (Score:2, Insightful)
Well then I RTFA'd... bug in a DLL under XP. I wouldn't call that "almost any version of MSIE past 4", but hey, this is Shashdot. At least I know it's not a fundemental problem with IE's rendering engine and it's simply an accidental thing that happened to a new Windows version. Windows with a bug, who'd have thought?
So.... (Score:4, Insightful)
Slow news night, eh?
Re:bah (Score:5, Insightful)
Here we have a simple bug that should be a test case. The word "crash" is not required, just that the type directive has a null value since it is not followed by an equal sign.
The code would not hang the browser. The code would crash it just the same as it is again missing the equal sign. It's completely concievable that a developer that hand codes HTML would accidentally omit the character.
This is simple buffer underflow checking: "does the thing I just recieved have the minimum expected size/value?" and just like all the buffer overflow issues, they don't bother checking the untrusted input before sending it off for critical processing.
Worth Pointing Out, I Think (Score:5, Insightful)
That is in a consumer OS (XP Home) that costs less than $100, and has tens of thousands of commercial apps available in almost every language. (probably millions if you include shareware/freeware)
Whether it's my mom or another engineer, I feel pretty good about telling them XP is a solid OS that can do what they need. (likewise with IE)
Not many years ago, it would have seemed pretty petty to obsess about such a bug--and that's when it would've forced a reboot.
I'm not shy about criticizing MS when appropriate, but to come from Windows for Workgroups to XP in 10 years is pretty impressive, especially for a company of its size.
If it were me, I'd spend my time debating the Software Formerly Known As Palladium, and not lose the forest for the trees by mocking MS for this kind of item. I fart bugs bigger than this.
oh, big deal (Score:2, Insightful)
Re:So.... (Score:5, Insightful)
Second: It's simple. It's cute. It's the kind of bug that makes a dev go, "Doh!", and so it's not absurd to show some interest in it. It's also a fun game to try to pin down what the problem is.
Third: Does it warrant a /. story? Have you seen half the stories that come through here? ;)
Use a fresher Phoenix (Score:3, Insightful)
Re:OS X IE Is Unaffected (Score:5, Insightful)
So hold your chickens before they jump the conclusion.
Re:Phoenix (Score:2, Insightful)
Re:Inquirer says one line (Score:5, Insightful)
And anyway, even if your version requires more than that, it can still be all on one line, eg:
<html><form><input type crash></form></html>
Since carriage return/line feed pairs are totally unimportant in HTML (except with the <pre> tag, and maybe one or two others), it's silly to talk about how many "lines" it takes anyway.
Re:Ok ok, that's it, nothing more to see here... (Score:2, Insightful)
Sure. [mozilla.org] It'd be appreciated, too.
Bugs, crashes (Score:5, Insightful)
Re:bah (Score:2, Insightful)
Je me souviens [wikipedia.org].
According to Microsoft Intenet Explorer is part of the OS. Therefore, if MSIE crashes, your OS has crashed. Bill Gates said it, not me. Complain to him if you think it's wrong! He made your OS!
You can't lie to a judge and not expect to be picked apart on it for life.
Re:An infinite loop is not a bug in the applicatio (Score:3, Insightful)
No, if that does indeed crash an application it's a bug (and I'll assume, for the sake of argument, that the parent is correct even though other posters have stated they can't get Mozilla to crash from this). Applications should not respond to any input by crashing and applications should give the user a chance to lose data because someone on the net essentially (perhaps inadvertantly) instructed the application to crash.
I appreciate the logic of the loop you're describing, but the proper response to that is not to crash or enter some state where a user's data can be lost.
Re:mozilla crashes too (Score:5, Insightful)
I can't think of a browser released in the past couple of years that *crashes* on bad HTML, except for this particular issue. Misrenders, yes, but crashes, no. Bad javascript is another issue; you can protect yourself from that quite easily, and most of the time the browser catches infinite loops, fork bomb-style attacks, etc anyway.
IE has become a standard part of the Windows OS. As more and more applications use it, the impact of crashing greatly increases.
Re:ME??? (Score:2, Insightful)
What kind of makes me mad is when I request that our IT department install some software on my box at work. They leave it at the BSOD and try to blame me for it. Now that kind of thing stopped right away once my boss was backing me up. Now we have the only TWO home brewed PCs out of several thousand. Our IT department has admin access to them, but doesn't use it since we support them ourselves. Funny, hasn't crashed once since then.
I think Linux has a very powerful user base, I think most people who run linux are a touch smarter than those who *can't* run linux or don't know any better than to run what their computer came with. I think *nix in general is far more powerful than winderz, but I think windows also has it's place in the market.
Yes, this particular bug crashes IE in Windows. BFD. Opening Netscrape was iffy at best on a *nix box. The nice/scary thing about working where I do is we have 2 flavors of unix, dos 6.x to Windows 95, at least 3 distros of linux, a few NT boxes, several 2k boxes and even the odd OS/2 machine. Every OS has it's place and is useful in it's own right.
Now, take a time out in the corner and meditate on these teachings of tolerance of other OSes.
Users should not have to browse warily. (Score:5, Insightful)
I should have included the following in my first response to your rather overrated and glib point above: Users won't know where to avoid going until it is too late.
Time to recognize a wider social significance. (Score:3, Insightful)
And undeservedly. People who could not see the potential for the web and understand that a critical application like a web browser must be made crash-proof should be corrected. Not by pointing and laughing, but by careful and patient explanation about how more people in everyday society depend on a well-functioning web browser that can handle any input (including input from potentially hostile webpage authors) without crashing (and thus losing what could be valuable data).
What has changed since the days when people used Netscape's version 3 browser is an increase in the number of people who use web browsers for important work. Developers who don't take this concern seriously are not developers one should trust with important data.
Outlook and Frontpage are also affected... (Score:2, Insightful)
Re:Two points of significance for crashes. (Score:2, Insightful)
It's a usual bug. All browsers have them. This bug does *not* exist because MS is Evil. And MS probably will fix it, but I can't say they have to hurry. If someone inserts this text into a page to crash a browser, let him. It doesnt stop anyone to go to serious web sites.
Get over it. Stop this useless bashing. I'm not in anyway pro MS, but this story has got to be a joke. And if I had paid for the Slashdot subscription I would have been able to see this breaking-story before many others... What has happened to this site?
CowboyNeal - Help me!!! Come back. Plz
Re:bah (Score:2, Insightful)
Talk about biased. Not a MS fanboy myself but it looks like they can do no right. First you complain about MS's dismal security record and when they finally start addressing the issue and release fixes you blast them again.
Re:Two points of significance for crashes. (Score:5, Insightful)
Man, do I wish someone would tell the Mozilla team that...
Got a current example?
Re:So is IE 5.1.6 on OS 9.XX (Score:5, Insightful)
Under Mac OS 9 and earlier, memory location zero was explicitly a real memory location. I wouldn't be surprised if null accesses under OS X also don't cause a crash. So this bug wouldn't cause a crash on a Mac, period.
It's really amazing how many people posting here have stupid conspiracy theories about this, like how it's an intentional mis-feature to test crashing the browser, and how they think the word after 'type' means anything. Look folks, the problem is that 'type' is naked, when it should be 'type="TEXT"' or something similar.
Re:So.... (Score:2, Insightful)
It can also be further exploited by javascript-based emailworms by adding a document.write("<INPUT TYPE 'Hastala visa baby'>"); after having spread itself to everyone on the contact-list.
Re:Crashing != bug (Score:5, Insightful)
I'm sorry you don't mention the name of your company, because your company makes software that should be shunned. No software should respond in an astonishing way when fed valid data that is outside of the domain of the function -- it should do range-checking and set an appropriate error flag and return to the caller with something, even if that "something" is a NAN. Even when fed absolute junk, it should detect the junk and error out in a predictable manner.
In particular, taking down the application (and perhaps the entire system it's running on) is not an option.
Re:Mail-A-Crash (Score:1, Insightful)
Yeah, and make sure you let
Crasher warning (Score:2, Insightful)
I just noticed that the tantek.com link I posted above crashes Webcore-based browsers. After posting the comment from OmniWeb 4.5 (which uses KHTML Webcore) I clicked on the link. OmniWeb crashed.
Since I'm using a "Sneaky Peek" version of OmniWeb, I thought that maybe it was just a bug in the beta code. I tried the same link in Safari and it crashed too.
I assumed that since this was a page on Tantek Çelik's site the CSS would be valid. The page flunks the HTML validator [w3.org] at w3c.org because of a misplaced noscript tag. - I wouldn't expect that to crash a browser.
Must be a WebCore bug. Kind of ironic given the topic.
Re:So is IE 5.1.6 on OS 9.XX (Score:2, Insightful)
You don't know what you're talking about. I'll bet $5 that you have never done serious C programming before...
This [eskimo.com] is a decent explanation of what a null pointer is.
(Oh yeah, this is slashdot... why am I surprised?)
Re:Whoa! This is worst than I thought. (Score:4, Insightful)
Re:Crashing != bug (Score:2, Insightful)
No "bashing", well-earned untrustworthiness. (Score:5, Insightful)
No, not all browsers have this bug and so far I can't replicate similar sounding bugs in Mozilla producing a crash and loss of work. Also, not all browsers are so widely used and not all browsers integrate code with widely used e-mail clients (Outlook and Outlook express still use the same HTML renderer that is subject to so many problems). This leads to multiple paths to sabotage someone remotely, perhaps even anonymously. Let's not forget that any application that embeds MSIE/Windows' renderer is vulnerable. Considering how many people use MSIE on MS Windows and how many of them are affected by this bug, I'd hardly call revealing the bug a "joke".
I'm not encouraging anyone to think in the false dichotomy of good vs. evil and neither should you. Nobody is helped by glossing over relevant details of how this works or ignoring the wide scope of the bug. This is one of a long string of Microsoft bugs that directly adversely affects ordinary users. We are much better served by suggesting real-world fixes (such as switching to Mozilla [mozilla.org] to do most browsing, even under a proprietary operating system). We're also better off identifying this exemplar of the practical shortcomings of proprietary software. There's no workaround here--MSIE/Windows users must simply wait for a fix from the proprietor if they won't switch browsers (and any other app adversely affected by embedding the MSIE renderer).
0 isn't mapped to the kernel... (Score:3, Insightful)
Otherwise, the program would just keep going. YOu wouldn't see the crash until you attempt to write there and clobber your code.
Re:Two points of significance for crashes. (Score:4, Insightful)
I must admit, there's something strangely fitting about a Microsoft apologist argument based on sheer arrogance.
It's a usual bug. All browsers have them.
An oddball javascript gyration that changes colors for the rest of the session is a usual bug. A fundamental HTML rendering flaw that can crash the entire Internet application suite for the world's most popular and profitable operating system is a big deal.
This bug does *not* exist because MS is Evil
Agreed. Never attribute to malice that which can be explained by incompetence.
It doesnt stop anyone to go to serious web sites.
It will if (as someone else has suggested) the next Melissa-type virus includes a payload to put the bad HTML on your computer and set it as your homepage.
So much for security by indifference.
Re:Crashing != bug (Score:3, Insightful)
Please tell me you're not just talking about things like forgetting to check before dividing by zero or SQRTing a negative number! If you are, then you are totally misunderstanding this conversation. We're in a different league here.
Unfortunately, you've spent so long checking that your algorithm will work correctly and terminate (assuming such checks are even possible) that no-one else will ever use your code because the alternatives are several orders of magnitude faster, which is the dominant requirement for the type of software we provide.
Any library can get bad input. You can pass me a pointer to your data structure and claim it's valid, but actually give me an address outside of memory that I'm allowed to access so I segfault when I follow it. It is not possible to write a 100% bulletproof library in this situation.
You have to trust your calling code to do its job, and you have to be clear about what input you accept with defined results so those writing the calling code can do their job. There is no other option.
The only remaining question is how broad you choose to make the set of valid inputs. This is simply a trade-off between safety and performance, and in this particular industry, standard practice is to trust your caller and go for performance. You're necessarily relying on them to give you good input anyway, so further checks just slow you down without any real safety benefit.
Actually, taking down the whole application and providing diagnostics is one of the better options, since it makes it clear during testing that there is a bug, which in turn implies that our client application has a logic error somewhere in it.
If my library doing something can take down your whole system, your OS is broken, of course.
Couldn't you use it for anti-Outlook spam? (Score:3, Insightful)
All you have to is to spam this company with this small HTML one-liner. Outlook is set to preview on most desktops. So the hapless users' Outlook would crash and could not be brought back: If you start it again, it would try to preview the offending message again and CRASH.
That would seriously hamper the operations of a company, and if that company is, say, a Wall Street broker, the financial losses could amount to millions.
So IT support people should really demonstrate this vulnerability to the clueless PHBs who insist on putting Outlook on their company's desktops. Maybe they'd stop being so foolishly blind to MS-induced security risks if, say, THEIR Outlook crashes and burns...
Re:Two points of significance for crashes. (Score:3, Insightful)
Is it? Or do you have to shell out $200+ for an OS license?
This is not really a Microsoft problem... (Score:3, Insightful)
Re:NULL pointers and error handling (Score:2, Insightful)
Re:Careful with those emails! (Score:3, Insightful)
It is however a great way to piss off a friend or if someone had a good spam list, or a DOS of a company...
But it makes a really bad virus.
Re:Inquirer says one line (Score:1, Insightful)
insta-crash of the windows explorer thingie, but good old netscpe still kicks.
You guy's are slacking! You should have found this sooner, think of all the fun we missed! It is bad enough that Microsoft has little to no QC, now the Slashdot community is sitting on their collective haunches, not sending malformed code to IE.
We are running out of exploits people! What are we going to do for fun when Microsoft patches all these known holes? Well, what then?
Do you think all a company like Microsoft has to do is innovate these new ammusements for us? Billy-G is going to start charging us for this, an entertainment tax, possibly. Come on, it costs Billions and Billions of Bucks to make software this good, just think how buggy and unstable software would be if you didn't pay for it....
Oh, wait
I never bought Linux
or FreeBSD
or my Freesco router software...
and this win98 came "free" with the computer, so it must be just as good, right?