Forgot your password?
typodupeerror
Bug Internet Explorer Microsoft Security

Bring Down Internet Explorer In Six Words 239

Posted by kdawson
from the don't-you-think-she-looks-tired dept.
Marcion writes "Some handy Japanese guy called Hamachiya discovered a bug in Internet Explorer. Under certain conditions, an asterisk when used as a wildcard can crash IE as soon as the user attempts to go to another page." The article claims the "five HTML tags and a CSS declaration" crash IE7 as well as IE6, but I couldn't get IE7 to fail. This page says that as of June, IE6 was at about 37% market share and IE7 under 20%.
This discussion has been archived. No new comments can be posted.

Bring Down Internet Explorer In Six Words

Comments Filter:
  • Tear in my eye (Score:5, Insightful)

    by ceeam (39911) on Wednesday August 08, 2007 @05:25AM (#20153843)
    I didn't think I'll see the day when browser crashing on something would be a newsworthy item. We - the industry - have made improvements in the last years I guess.
    • Re: (Score:3, Insightful)

      by somersault (912633)
      Either that, or /. is going downhill? That's the pessimist's view anyway ;)
    • by Divebus (860563)
      I might get knocked off slashdot for saying this but look at the OS statistics (next page). Between 2003 and now, the Mac market share started behind Linux, matched it in 2005 and has been steadily climbing away from it ever since. "Linux is about to take the desktop" never felt right. Maybe that will change with the Delbuntu machines - maybe not. Anyone have different stats?
      • Re: (Score:3, Informative)

        by Miseph (979059)
        Mac was taking it on the chin prior to about 2003 (when was it that Steve came back again?), their machines were lackluster and their marketing was weak. The release of OSX and their renewed marketing drive has brought them back from obscurity.

        This had nothing to do with FOSS, and everything to do with Apple reclaiming a large chunk of its niche who had moved to Windows (as a group, that is; many of the old school Mac users probably didn't migrate, but new users coming into the traditional Mac niches weren'
        • by greenbird (859670) *

          he release of OSX and their renewed marketing drive has brought them back from obscurity.

          This had nothing to do with FOSS

          Ummm...Do you know where OSX came from? I kinda think FOSS might have had just a bit of an influence on OSX.

        • Re: (Score:3, Informative)

          by riceboy50 (631755)

          when was it that Steve came back again?
          1997 [wikipedia.org].
  • by Dogtanian (588974) on Wednesday August 08, 2007 @05:28AM (#20153857) Homepage
    ...then here's a word perfect translation of that article [altavista.com] (courtesy of Babelfish [altavista.com]).

    Erm... then again, maybe not.

    (If you liked that translation, you might enjoy Babelfish's attempt at Slashdot.jp [altavista.com].)
    • by arkhan_jg (618674) on Wednesday August 08, 2007 @05:38AM (#20153915)
      From slashdot.jp [altavista.com]:

      When the policeman of the tie, rule you violate, hello punishment of the kitty?

      Heh. I can just imagine a 'tie-inspector' walking round making sure your business attire is up to standard, or else he unleashes an angry cat on you. Or maybe he tortures a cute kitten in front of you, not sure on that point.
    • mod parent splendid discernment.

      Thanks for that link. I needed a good laugh in the morning.
    • by uhmmmm (512629) <{moc.liamg} {ta} {mmmmhu}> on Wednesday August 08, 2007 @11:15AM (#20156975) Homepage
      Here's a quick translation I just did:

      Hello! Good afternoon!!!!!
      I stumbled across a browser crash, so today I'll tell you about it!

      Here it is!

      <style>*{position:relative}</style><table><input>< /table>

          Sample (If you're using IE, your browser will close! You have been warned!)

      It seems IE6 or programs using IE6 components will definitely crash!
      I haven't checked IE7 though!

      It seems to be when you have and input or select or such just below a table or tr or such,
      and you use the css wildcard * to set everything to position:relative.

      By the way, if the input has its style directly set to relative, it doesn't crash. What's up with that?
      I don't really get it, but it sure is interesting...!

      Anyone out there who loves Firefox or Opera should go spread this all over and decrease IE's market share!!!
    • And here's my translation. It's a shame that the blog fails to capture the blogger's humor (my translation doesn't do the closing line justice).

      OK! Welcome!!!!! Today, because I made an accidental browser discovery, I'll pass it on! It's this:

      <style>*{position:relative}</style><table><input ></table>

      Sample (If you're using IE, the browser will close! Be careful)
      If it's IE6 or IE6 component browser, it definitely seems to crash! I haven't checked IE7 though!
      if inside TABLE or TR

  • Hmm.. (Score:4, Informative)

    by wumpus188 (657540) on Wednesday August 08, 2007 @05:29AM (#20153867)
    It indeed crashes IE here... Windows 2K3, IE7
    • by Dogtanian (588974) on Wednesday August 08, 2007 @05:44AM (#20153939) Homepage

      It indeed crashes IE here... Windows 2K3, IE7
      I'm using IE7 bog-standard Windows XP with SP2, and it "crashed" in the manner described for me too. Remember that (as the article states) you have to open a new tab.

      It takes a few seconds to crash after the new tab is opened; that's enough time to type in an auto-completed URL and have it start loading. Strange thing about this is that even though Windows shows the standard "crashed" dialog box for IE, beneath that I can still see (e.g.) Slashdot continue to load in the background until I dismiss the dialog.
      • by Bacon Bits (926911) on Wednesday August 08, 2007 @07:49AM (#20154601)
        It's not a crash, per se. It's a forced closure due to an illegal operation of one component of the browser with code in mshtml.dll.

        An exception was thrown that was not properly caught. The error is caused by improper error trapping. Otherwise, the browser would just render things improperly or claim there was an error on the page because it doesn't properly parse and render the style tag.
        • by GeckoX (259575)
          Pre-tell then, what is a crash?

          If it wasn't a crash, it would have instead presented some sort of alert and told the user something, before allowing the user to continue on doing what they were doing. It does none of this...rather...it crashes. Quite unspectacularly, but crash it does.

          Sorry, but this isn't exactly schrodinger material, the crash can't simply be waved away by stating 'there is no crash'.

          Unless of course, there's a cat in the server box that is serving up this article perchance? ;)
          • by GooberToo (74388) on Wednesday August 08, 2007 @09:05AM (#20155199)
            Pre-tell then, what is a crash?

            When an exception is thrown and is not properly caught. The error is caused by improper error trapping. This is a classic "crash." ;)
          • I guess I typically consider something a "crash" when the a system or program is wholly unresponsive to the system and requires that the process be manually killed. I equate "crash" to freezing up.

            An unhandled exception like this is... an unhandled exception. Maybe I'm too close to it now, though, and just don't refer to specific know types of crashes with the general phrase. You're right, though, I think many people do qualify it as a crash.
            • by ichimunki (194887)
              You are confusing "hang" with "crash".
              • Not at all. I know exactly what I mean, and so do my co-workers (having just polled them). My usage conforms completely to the usage in my office.
                • by 2short (466733)
                  Then your office is wrong relative to the rest of the world, where:

                  Crash = Program unexpectedly terminates.
                  Hang = Program becomes unresponsive (unexpectedly).

                  I have known less technical persons to use "crash" in both cases.

                • Re: (Score:2, Funny)

                  by Cigarra (652458)

                  My usage conforms completely to the usage in my office.


                  Bill?!? is that you??
                • Re: (Score:3, Informative)

                  by ashitaka (27544)
                  What does your office do? Hopefully nothing to do with computer development.

                  What you just described is an application or process hanging. The app cannot respond to any user inputs or messages from the OS and the app or even the entire system in the worst case becomes unresponsive.

                  When an app or process crashes it is no longer running and under a better-designed OS will have its memory cleaned up in garbage collection.

                  (Developing since 1979)
          • Re: (Score:2, Funny)

            by mopower70 (250015)

            Pre-tell then, what is a crash?
            If I could pre-tell what caused a crash, I'd avoid doing it in the first place. But I don't think the precogs come online until 2053 or something like that.
        • It's not a crash, per se. It's a forced closure due to an illegal operation of one component of the browser with code in mshtml.dll. An exception was thrown that was not properly caught.
          I didn't rear end the person in front of me, per se. I just simply wasn't paying enough attention and failed to break.
    • It indeed crashes IE here... Windows 2K3, IE7
      IE7 running on Win2K SP3? How is this possible?
      IE7 is not supposed to be able to run on Windows 2000. Has this changed?
  • by millwall (622730) on Wednesday August 08, 2007 @05:30AM (#20153871)
    Post
    A
    Crappy
    Article
    On
    Slashdot
  • And we bring down a site [commandline.org.uk] from a link in the OP.
  • by BlackPignouf (1017012) on Wednesday August 08, 2007 @06:02AM (#20154047)
    :(){ :|:& };:
    • by Bob54321 (911744)
      Can anyone explain to me what this actually does. It has been my sig for ages to remind me to actually find out but I have never managed to find the time...
      • Re: (Score:2, Informative)

        by radu.stanca (857153)
        From here [euglug.org]

        It creates a function called ":" that accepts no arguments-- that's
        the ":(){ ... }" part of the utterance.

        The code in the function calls the recursively calls the function
        and pipes the output to another invocation of the function-- that's
        the ":|:" part. The "&" puts the call into the background-- that way
        the child process don't die if the parent exits or is killed. Note
        that by invoking the function twice, you get exponential growth in
        the number of processes (nasty!).

        The trailing ";" after th

  • by Opportunist (166417) on Wednesday August 08, 2007 @06:11AM (#20154081)
    You can crash IE? Really? With a webpage? Who would have thought?

    Seriously, here's a phone. Call someone who cares. Or at least isn't surprised. Or at least thinks it's newsworthy.

    I don't care if I have to wave karma goodbye now, but sensibly, is there an event running today that tries to see how many really uninteresting, uninspired and utterly pointless "news" can make it to the front page on a single day? Yes, it's possible to crash IE. Hey, breaking news, you can even crash it in a way that allows you to execute arbitrary code. Wow. Teh horrorz.

    This ain't news. It may be a new hole detected, but could we at least get less lurid subject lines that sound like it's the end of the world? How about "new bug in IE detected"? It would have been at least as accurate and more objective. You might get the same "duh, no kidding" replies, but at least people wouldn't make fun of you for making something trivial as an IE bug sound like it's the end of the internet.
    • Re: (Score:3, Insightful)

      by apt142 (574425)
      I think what they considered newsworthy about it is the fact that it can be done in 6 words. Not that the bug exists, but rather how simple it is to crash it. They should have put the foot up there for humor if they wanted to get that across IMHO.

      That being said, crashing IE is only slightly more difficult that tying my shoes.
      • "I think what they considered newsworthy about it is the fact that it can be done in 6 words."

        I think they considered it newsworthy because 'bringing it down in six words' is a Doctor Who reference. :P
    • by bl8n8r (649187) on Wednesday August 08, 2007 @07:48AM (#20154593)
      > Seriously, here's a phone. Call someone who cares. Or at least isn't surprised. Or at least thinks it's newsworthy.

      Attitudes like this are why computer security is in such a dismal state. Crashing an application from a remote system means that application is not filtering it's input correctly and is subject to a remote compromise. Just because IE goes bu-bye and starts right up again doesn't mean everything is peaches. By the time you've restarted the app or rebooted windows, you may have already been compromised with the software of choice by the remote. This cold be a backdoor, keylogger, trojan whatever - and you won't even know it other than "my computer is slow". People need to wise-up because malware is getting sneakier and more cost effective for the people that write it.

      Articles like this are news worthy because it brings light to the fact that something is amiss and needs fixing. Unfortunately, other than negative PR, there's little incentive for proprietary software to fix these things. That's one of the reasons IE has been, and still is, such a security nightmare. Firefox is only about 2/3 better (3 pages vs. 8 pages) judging by number of CVEs*. Still, security is about lessening risk. It's foolish to use IE these days with much better options available.

      [*] - https://www.kb.cert.org/vuls/html/search [cert.org]
      • Yes, browser holes are an issue. Especially with malware packages like MPack around. But does it have to sound like something taken out of Fox' news feed? Can we get news again, instead of the hype we got recently?

        Also, telling someone here about security issues with IE is preaching the choir. We know that. I doubt anyone here doesn't know that there are still security holes in IE. And, for the record, also in FF (just so nobody thinks I'm out to do some MS bashing). Unlike FF, we can't do jack about securi
      • by jesser (77961)
        Crashing an application from a remote system means that application is not filtering [its] input correctly

        Wrong. This crash has more to do with layout data structures than "filtering input".

        and is subject to a remote compromise.

        Only some types of crash bugs [squarefree.com] are exploitable. If this happened on Mac, we'd probably already know [squarefree.com] whether this crash was exploitable.

        Firefox is only about 2/3 better (3 pages vs. 8 pages) judging by number of CVEs*.

        Your link is broken (I get a cert error), so I can't tell you what
    • You can crash IE? Really? With a webpage? Who would have thought?

      I have yet to use a browser that cannot be crashed with a webpage (except for Opera *eyes glitter*). And the list includes IE, FireFox, and Safari on Max.

  • html source is: (Score:2, Interesting)

    by Anonymous Coward
    <style>* {position:relative}
    </style><table><input></table>
    • Re: (Score:3, Informative)

      by derrida (918536)
      And here is a link [nyud.net] to test it.
      • Re: (Score:3, Interesting)

        by nschubach (922175)
        And VS2005 puts the problem somewhere around here...

        mshtml.dll! 7dcaac6e() mov eax,dword ptr [ecx+4]

        7DCAAC6C nop
        7DCAAC6D nop
        7DCAAC6E mov eax,dword ptr [ecx+4]
        7DCAAC71 test al,1
        7DCAAC73 jne 7DCB3229
        7DCAAC79 and eax,2
        7DCAAC7C ret
        7DCAAC7D nop

        Not that I have any clue what that means since I never learned assembly :p
      • position:relative triggers hasLayout [satzansatz.de] mode for given element, which appears to be a complete, different rendering (sub)engine in IE.
      • In CSS spec table elements are exception from all HTML/CSS layouting rules and IE they're even more of an exceptional-exception judging by the fact that display:table is not supported and display on table elements can only change visibility, not layout.
      • and on top of that <input> has been source of embarassment for IE already. <input type> alone used to instantl
  • Dr.Who (Score:3, Funny)

    by gpmidi (891665) on Wednesday August 08, 2007 @06:40AM (#20154229) Homepage
    Dr.Who: I can bring down your administration in one word. Prime Minister: One word. Even you aren't capable of that. Dr.Who: Okay, six words. Dr.Who (wispers to aid): Don't you think she looks tired?
  • Alt-F4 gets rid of it much more quickly, and doesn't rely on a Japanese website not having been /.ed.
  • No big deal. (Score:4, Insightful)

    by 140Mandak262Jamuna (970587) on Wednesday August 08, 2007 @07:16AM (#20154397) Journal
    First please realize I am no MSFT fanboi, I have been extremely critical of that company in my previous postings.

    MSFT should try to fix the bug that is crashing IE, because crashes in IE have a tendency to become a remote execution bug later. But still, no point in bashing MSFT on this issue. Browsers crashing on malformed input is well known. Firefox, my fav and only browser, too crashes often on malformed input. There is this thing called fuzzing, sending deliberately malformed input to the browser and see what happens. Firefox used to crash more often than IE under fuzzing. Now they provide fuzzing tools for their testers to strengthen mozilla products.

  • Common to Trident? (Score:5, Interesting)

    by Stefanwulf (1032430) on Wednesday August 08, 2007 @07:26AM (#20154453)
    TFA's servers aren't responding at the moment, so this might be included, but has anyone tried this with non-IE programs which use the Trident layout engine?

    If it's Trident that's bringing down IE, then you're looking at HTML code that could also bring down Windows Media Player, several versions of Outlook and Outlook Express, MSN Messenger, Steam (from Valve), and other applications which use it to render web pages. I think at least some versions of Winamp used trident as well, but I'm not sure about that.
    • It's a bug in mshtml.dll (see a previous poster). It should bring down any program which uses that DLL to render pages. That should include Steam and everything else you mentioned.
    • The original Japanese says it is confirmed as working on something called the IE Component Browser. Is this the Trident engine? I take "IE component browser" to be the thing you can wrap in your own skin/"browser" and brand it the "TheoMurpse Browser!!!(TM)"
  • by asylumx (881307) on Wednesday August 08, 2007 @07:37AM (#20154517)

    as of June, IE6 was at about 37% market share and IE7 under 20%

    Yeah, but don't you think w3schools would be a bit biased? W3schools is a site full of tutorials and information for developers. Developers tend to prefer FireFox due to its robust plugin system and some of the excellent plugins for that system (Firebug, Web Tools, etc.) so I'm not surprised that FireFox has a higher rate of use on such a site. In fact, I am surprised that it's not higher!
    • Re: (Score:3, Informative)

      by kebes (861706)
      Yeah the w3schools [w3schools.com] stat of 34% firefox is higher than the global average. The Wikipedia page on browser share [wikipedia.org] summarizes statistics from a wide variety of sources (and includes links, of course). As can be seen, the values vary depending the location and types of sites used in the stats. According to some reports [xitimonitor.com], Firefox is nearing 28% usage across Europe. The global stats for generic sites seem to agree that Firefox usage is 12%-15%, versus Internet Explorer (all versions) being 75%-84%.

      Still, this is
  • Six words? Please.

    As any pimply-faced 14 year old surfing the web alone in his bedroom could've told you, all it takes is your Mom unexpectedly calling your name from right outside your door to cause IE to be shut down immediately.
  • If the point of this item is to point out bugs in IE it isn't alone. I crashed a large Epiphany session with a segmentation violation a couple of days ago and its relatively easy to crash Firefox if you limit the amount of memory available using ulimit (Firefox doesn't catch "early" C++ memory allocation failures and handle them gracefully). Firefox also has the infamous "window unexpectedly destroyed" bug (#263160) for ~3 years (which will crash the browser if you attempt to close the untitled window).

    I suspect all of the Mozilla based browsers will effectively die if one throws enough "heavyweight" pages at them (i.e. those which are activity heavy [because there isn't a Javascript/Active HTML/Animated GIF scheduler]) or run out of swap space (again because memory allocation failures are not handled gracefully).

    IMO, developers place too much emphasis on feature enhancements rather than making the existing browsers run reliably (bugs shouldn't linger for 3 years), with a minimal machine footprint (Netscape 4.7x required significantly less memory than Firefox) and effective priority scheduling of the "top" window (user responsiveness).
  • A badly formed INPUT tag has been known to take down IE since at least 2003.

    Bigger news is why is it still there?
  • by eglass1 (521686) on Wednesday August 08, 2007 @08:51AM (#20155031)
    If you include it in the body of an HTML mail message.
    • But which version of Outlook? Outlook 2007 no longer uses IE as it's HTML viewer but rather uses the Word 2007 HTML viewer.
  • Big deal. I can crash Safari 2.0.4 in two clicks. Enable Slashdot's new discussion system and click on a 'Reply to This' link. Press the Back button. Crash.

  • Yup, doesn't crash IE 5.2.3 for Mac OS X.

  • "There is no more pr0n here."
  • Last I checked, a single Javascript command was enough to crash IE, and I think it works in IE7 as well as IE6:

        for (x in document.write) { document.write(x);}

    Was a great prank (ie, a sig link saying "IE USERS DON'T CLICK HERE"). Heh.
  • That asterisk is trouble for everyone now.
  • The six words are, "don't you think she looks tired?"

It is better to give than to lend, and it costs about the same.

Working...