HTML Rendering Crashes IE 1000
SlimySlimy writes "According to this article on Secunia, a new IE exploit was found that crashes almost any version of Internet Explorer past 4.0 with just 5 lines of plain HTML code (no JavaScript, ActiveX, etc.). If you're very brave, you can test/crash your IE by going here." There's also a note on SecurityFocus.
OS X IE Is Unaffected (Score:5, Interesting)
Bizarre (Score:2, Interesting)
Re:Phoenix (Score:5, Interesting)
The bug seems to be Windows only....so the Mac coders at MS may be better coders...who knows.
Re:Damnit! (Score:2, Interesting)
It crashed only a single IE window on my pc. I run IE 6.0 on XP with all the updates, but maybe it has something to do with the 'Open folder windows in separate processes' option I have enabled.
It's not a serious vulnerability, but it sure is a very embarassing one
Does it have to be ``type crash?'' (Score:2, Interesting)
bah (Score:5, Interesting)
I heard someone suggest they hire better testers? How was anyone supposed to test for this. I know this is
The fact remains though that this crash isn't really that big of a deal. Sure it crashes IE, but it's not like most content webpages want their reader's browsers crashing when they reach the page. Who do we have to worry about? HTML enabled web boards? I have to worry about someone linking c:\con\con as an image everytime I click a link. You just go on with your life. If they are stupid enough to have html enabled then it's their problem, not MS's.
Hah! I've got something that will crash IE also.. (Score:5, Interesting)
<html>
<head>
<style>
{
position: fixed;
background-color: green;
}
</style>
</head>
<body>
<table border=1>
<tr>
<td class="header">sdf</td><td>sdfsdfsdf</td>
</tr>
</body>
</html>
You have to mouseover the table cells and you will get a gpf. Should work on IE 5.5 and 6.0.
note: there is a bogus semicolon after the
It's not a bug.... (Score:2, Interesting)
Perhaps the ms ie engineers were just too lazy to hit the x button on ie so they developed this nifty little "feature" to make restarting ie that much easier. How?
Simple... make an htm doc on the desktop, put in these 5 lines, make it your homepage (obviously this prevents loading ie to begin with, but you can just load some other page first) and since home can be gotten to with some keypresses, this means it can be bound to the mouse buttons in some of the newer models.
And there you have it. Instant ie restarting from your mouse! You don't have to waste time clicking the x and then double clicking the ie icon. Genius!
(BTW, perhaps ms can be
what happens? (Score:3, Interesting)
Pretty simple bug really (Score:4, Interesting)
Re:Phoenix (Score:1, Interesting)
No, this is actually well known. IE for Mac got way ahead of IE for Windows, so the group coding the Mac version was dissolved a few years back to slow down development.
Bill! Get it together, Bill! (Score:2, Interesting)
Light-weight alright ;o) (Score:3, Interesting)
DLL Name: Shell Light-weight Utility
Library Description: Contains utility functions for handling paths, urls, strings, registry entries and color settings
Interesting that this dll can also 'handle' registry entries....
In fact, the 5 lines of html can be reduced down to one:
<input type>
<html>
<head>
<title>foo</title>
</head>
<body>
<h1>foo</h1>
<input type>
</body>
</html>
type seems to be the only attribute that has the desired effect
Re:Microsoft...bleh. (Score:2, Interesting)
Hmm.. (Score:2, Interesting)
Crash (Score:2, Interesting)
An infinite loop is not a bug in the application (Score:3, Interesting)
What happens I guess is:
1. You move the mouse outside the body to an image or off window.
2. That blurs it.
3. It wants focus, but the mouse is off the window.
Somewhere javascript is point to self, so it runs focus, but the mouse is not on an object with any relation to javascript.
This one may just be on the boundary between what is and what isn't.
Write a worm.... (Score:3, Interesting)
I just found what to auto answer to all my spam... (Score:5, Interesting)
Re:bah (Score:1, Interesting)
Right, it *is* MS' job though to create good software, software should function and terminate properly.
Sorry, it's just not that big of a deal.
It's not a big deal at all, indeed. It is sloppy programming though.
Re:mozilla crashes too (Score:5, Interesting)
<script> for(;;){window.open('');} </script>
Just tried with mozilla 1.2.1: froze.
OTOH:
<script> for(;;){} </script>
If I do this a dialog pops up saying: "A script on this page is trying to screw you. Do you want to kill it?" (not in those words though :)
Re:bah (Score:2, Interesting)
It's an old, perfectly legal, tradition of software: the paying licensees are the testers. I just crashed IE and XP automatically sent in a bug report.
I just love the simplicity of it, kinda like the early vesions of NT where you could just telnet to port 139, type a few random characters and hang up, then watch CPU utilization stay at 100% untill reboot.
Re:Users look like kids on slashdot (Score:2, Interesting)
If you can identify all the bugs "that any coder should be able to catch" in every line of Linux kernel and GNU support code, so nothing ever goes wrong ever again on my system, I will personally pay you a full-time wage to do it. And so would Microsoft if you wished to do it for them. So, ready to convince us that you can debug the most complex consumer software?
Re:Wonder if that works deeper in a page (Score:3, Interesting)
just putting "about:<input type crash>" in the url bar already worked...
which is just 1 line
Why wasn't this discovered earlier? (Score:2, Interesting)
You guys are all on crack (Score:1, Interesting)
It doesn't qualify as 'exploit' or 'bug'. It's not a security risk. It's not even a problem. IE crashes all the time anyway, you just re-start it (or you can even have it restart automatically) and you're back where you were (before clicking the link, presumably).
Although this gives me an idea... what if you managed to set someone's default URL to this? Might take them a while to find out what's going on.
Security Audits (Score:2, Interesting)
Andrew
Re:mozilla crashes too (Score:5, Interesting)
Everybody who has spent any time developing web pages has learnt that bad (and sometimes even good) html can crash browsers.
Are we *that* confident in the maturity of our web browsers that causing a browser crash is nowadays considered a serious issue?
Before jumping the gun on parsing errors that kill the app, it might be smart to go over design errors first (scripts that keeps on going and that bypass the simple "lengthy script" checks are a good example. recursive frameset tricks would qualify too.). I've yet to see a full-featured browser that doesn't choke and/or die when presented with the right mix of recursion, active content and wickedness.
<tidbit type=outdated>
Netscape 3 had a neat crash code:
<script>delete new Location</script>
The neat part about it is that 2 of those 3 words were undocumented.
Of course any attempt to pass that as a security concern back then would have been laughed at. loudly.
I'm not sure what has fundamentally changed since then.
</tidbit>
Whoa! This is worst than I thought. (Score:2, Interesting)
Try sending someone the crash code as an html e-mail. It crashed Outlook before even previewing. SHIT.
I sincerely hope anti-virus software blocks this one soon.
This could turn into a new email worm (Score:2, Interesting)
I haven't tried outlook 2000 yet. Anyone want to give it a shot?
Outlook Express affected (Score:2, Interesting)
One HTML-Message posted in a Newsgroup and containing the line "<input type>" (Shortest form of the exploit...12 bytes to crash IE) will kill all Outlook Expresses who try to read it (remember that OE _always_ displays the HTML-Version of the post), leaving the users puzzled and perhaps "insightful +5"...
Re:Phoenix (Score:2, Interesting)
Re:Wonder if that works deeper in a page (Score:3, Interesting)
If it does, I can imagine many people posting malicious links in blogs everywhere by the end of the day.
Re:OS X IE Is Unaffected (Score:2, Interesting)
Careful with those emails! (Score:5, Interesting)
Re:Two points of significance for crashes. (Score:3, Interesting)
But the email would still be in their Inbox... so the next time they start outlook... oh just rememebered, Outlook Express (not sure about the full Office Outlook version) will not display an email after a crash.
Worrying though!
Crashes desktop in auto-preview!!! (Score:2, Interesting)
Fun for the whole family!
no prob with Konqueror (Score:3, Interesting)
Mail-A-Crash (Score:1, Interesting)
"This HTML also crash Outlook, Frontpage, and all the Microsoft programs that use the shlwapi.dll library to render web code."
Re:Inquirer says one line (Score:4, Interesting)
Not to be overly trollish here, but you could also squish poetry onto one long line or a big novel onto one really huge page, like something in Guinness's Book of World Records I suppose.
The point is, we use line counts in computer languages, even though most computer languages can be spaced out in numerous ways, because it provides a good rough estimate of length and complexity. It's not always the best metric, but oftentimes it serves its purpose well. In this case, the typical slashdot reader can see that the exploit is only "five lines" and realize that it's not a overly complicated HTML parser exploit but instead something ridiculously simple.
Re:Very big deal (Score:1, Interesting)
What if somebody sends a SPAM with it? It is not virus, but anyway...
Re:Crashing != bug (Score:2, Interesting)
It's impossible to do that. Turing demonstrated that it is not possible to determine whether any given algorithm will execute to completion for all possible inputs. As the library in question is a mathematical one, it will undoubtedly contain algorithms which will not complete for some input or inputs, and all the bounds-checking in the world cannot guarantee security from input which will cause an infinite execution time. If it was possible, it would be a solution to the Turing machine halting problem, and such a thing cannot be, by definition.
Re:mozilla crashes too (Score:2, Interesting)
Can you guarantee that? I had a student who was using JavaScript in an editor written in dynamic HTML to traverse the HTML DOM tree in Mozilla and reconstruct information out of it to form an XML document. The program takes several seconds even on relatively small documents. Where would you put a reasonable timeout?
Sebastian
Re:NULL pointers and error handling (Score:2, Interesting)
It's not just input. (Score:1, Interesting)
<p align>
Boom.
way to fight spam (Score:2, Interesting)