Bring Down Internet Explorer In Six Words 239
Marcion writes "Some handy Japanese guy called Hamachiya discovered a bug in Internet Explorer. Under certain conditions, an asterisk when used as a wildcard can crash IE as soon as the user attempts to go to another page." The article claims the "five HTML tags and a CSS declaration" crash IE7 as well as IE6, but I couldn't get IE7 to fail. This page says that as of June, IE6 was at about 37% market share and IE7 under 20%.
Tear in my eye (Score:5, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2, Offtopic)
Re:How is this fucking useful ?? (Score:5, Funny)
Re: (Score:2)
Re: (Score:3, Informative)
This had nothing to do with FOSS, and everything to do with Apple reclaiming a large chunk of its niche who had moved to Windows (as a group, that is; many of the old school Mac users probably didn't migrate, but new users coming into the traditional Mac niches weren'
Re: (Score:2)
Ummm...Do you know where OSX came from? I kinda think FOSS might have had just a bit of an influence on OSX.
Re: (Score:3, Informative)
Re: (Score:2, Funny)
Nostalgia ain't what it used to be...
If you don't speak Japanese.... (Score:5, Funny)
Erm... then again, maybe not.
(If you liked that translation, you might enjoy Babelfish's attempt at Slashdot.jp [altavista.com].)
Re:If you don't speak Japanese.... (Score:4, Funny)
Heh. I can just imagine a 'tie-inspector' walking round making sure your business attire is up to standard, or else he unleashes an angry cat on you. Or maybe he tortures a cute kitten in front of you, not sure on that point.
Re:If you don't speak Japanese.... (Score:5, Informative)
Ask and ye shall receive
A bit anti-climactic really.
Re:If you don't speak Japanese.... (Score:4, Funny)
Re: (Score:2)
Thanks for that link. I needed a good laugh in the morning.
Re:If you don't speak Japanese.... (Score:4, Informative)
Hello! Good afternoon!!!!!
I stumbled across a browser crash, so today I'll tell you about it!
Here it is!
<style>*{position:relative}</style><table><input>
Sample (If you're using IE, your browser will close! You have been warned!)
It seems IE6 or programs using IE6 components will definitely crash!
I haven't checked IE7 though!
It seems to be when you have and input or select or such just below a table or tr or such,
and you use the css wildcard * to set everything to position:relative.
By the way, if the input has its style directly set to relative, it doesn't crash. What's up with that?
I don't really get it, but it sure is interesting...!
Anyone out there who loves Firefox or Opera should go spread this all over and decrease IE's market share!!!
Re: (Score:2)
Re: (Score:2)
Funny, but not "Engrish" (Score:3, Informative)
I'm for replacing the current Slashdot moderation options with hilarious Engrish ones:
Oh yeah, "It is strange funny".... that was one I loved. (I've been "reading" Slashdot Japan through Babelfish for quite a while now- that's where my sig comes from).
However, it's misleading to call these "Engrish", as that normally refers to the use of bad English (or even pseudo-English) by the Japanese.
By contrast, this is a quaint auto-translation of correctly-written Japanese. Okay, so the "cute" tone is probably down to the differences between Japanese language and culture as well... but it's sti
Hmm.. (Score:4, Informative)
Is it crashed or not? (Score:4, Interesting)
It takes a few seconds to crash after the new tab is opened; that's enough time to type in an auto-completed URL and have it start loading. Strange thing about this is that even though Windows shows the standard "crashed" dialog box for IE, beneath that I can still see (e.g.) Slashdot continue to load in the background until I dismiss the dialog.
Re:Is it crashed or not? (Score:5, Informative)
An exception was thrown that was not properly caught. The error is caused by improper error trapping. Otherwise, the browser would just render things improperly or claim there was an error on the page because it doesn't properly parse and render the style tag.
Re: (Score:2)
If it wasn't a crash, it would have instead presented some sort of alert and told the user something, before allowing the user to continue on doing what they were doing. It does none of this...rather...it crashes. Quite unspectacularly, but crash it does.
Sorry, but this isn't exactly schrodinger material, the crash can't simply be waved away by stating 'there is no crash'.
Unless of course, there's a cat in the server box that is serving up this article perchance?
Re:Is it crashed or not? (Score:5, Informative)
When an exception is thrown and is not properly caught. The error is caused by improper error trapping. This is a classic "crash."
Re: (Score:2)
An unhandled exception like this is... an unhandled exception. Maybe I'm too close to it now, though, and just don't refer to specific know types of crashes with the general phrase. You're right, though, I think many people do qualify it as a crash.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Crash = Program unexpectedly terminates.
Hang = Program becomes unresponsive (unexpectedly).
I have known less technical persons to use "crash" in both cases.
Re: (Score:2, Funny)
Bill?!? is that you??
Re: (Score:3, Informative)
What you just described is an application or process hanging. The app cannot respond to any user inputs or messages from the OS and the app or even the entire system in the worst case becomes unresponsive.
When an app or process crashes it is no longer running and under a better-designed OS will have its memory cleaned up in garbage collection.
(Developing since 1979)
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
IE7 is not supposed to be able to run on Windows 2000. Has this changed?
Re: (Score:2)
Re:Hmm.. (Score:4, Funny)
Bring Down A Website In Six Words (Score:5, Funny)
A
Crappy
Article
On
Slashdot
Re:Bring Down A Website In Six Words (Score:5, Funny)
get
firefox
from
mozilla
dot
com
Re: (Score:2, Funny)
Re: (Score:3, Informative)
http://www.networkmirror.com/tQxFeWtOc31fVZfD/com
Re: (Score:2)
Re:Bring Down A Website In Six Words (Score:5, Funny)
PacaOS is the operating system for Pacas [wikipedia.org] - its a fork of rodentOS. HTH.
Re: (Score:2)
/.ed ? (Score:2)
Evil Plans Thwarted (Score:2, Funny)
Bring down my system in 13 chars. (Score:5, Funny)
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
No. You're kidding. Can't be. (Score:3, Insightful)
Seriously, here's a phone. Call someone who cares. Or at least isn't surprised. Or at least thinks it's newsworthy.
I don't care if I have to wave karma goodbye now, but sensibly, is there an event running today that tries to see how many really uninteresting, uninspired and utterly pointless "news" can make it to the front page on a single day? Yes, it's possible to crash IE. Hey, breaking news, you can even crash it in a way that allows you to execute arbitrary code. Wow. Teh horrorz.
This ain't news. It may be a new hole detected, but could we at least get less lurid subject lines that sound like it's the end of the world? How about "new bug in IE detected"? It would have been at least as accurate and more objective. You might get the same "duh, no kidding" replies, but at least people wouldn't make fun of you for making something trivial as an IE bug sound like it's the end of the internet.
Re: (Score:3, Insightful)
That being said, crashing IE is only slightly more difficult that tying my shoes.
Re: (Score:2)
I think they considered it newsworthy because 'bringing it down in six words' is a Doctor Who reference.
Re:No. You're kidding. Can't be. (Score:4, Insightful)
Attitudes like this are why computer security is in such a dismal state. Crashing an application from a remote system means that application is not filtering it's input correctly and is subject to a remote compromise. Just because IE goes bu-bye and starts right up again doesn't mean everything is peaches. By the time you've restarted the app or rebooted windows, you may have already been compromised with the software of choice by the remote. This cold be a backdoor, keylogger, trojan whatever - and you won't even know it other than "my computer is slow". People need to wise-up because malware is getting sneakier and more cost effective for the people that write it.
Articles like this are news worthy because it brings light to the fact that something is amiss and needs fixing. Unfortunately, other than negative PR, there's little incentive for proprietary software to fix these things. That's one of the reasons IE has been, and still is, such a security nightmare. Firefox is only about 2/3 better (3 pages vs. 8 pages) judging by number of CVEs*. Still, security is about lessening risk. It's foolish to use IE these days with much better options available.
[*] - https://www.kb.cert.org/vuls/html/search [cert.org]
Re: (Score:2)
Also, telling someone here about security issues with IE is preaching the choir. We know that. I doubt anyone here doesn't know that there are still security holes in IE. And, for the record, also in FF (just so nobody thinks I'm out to do some MS bashing). Unlike FF, we can't do jack about securi
Re: (Score:2)
In either way it's not a fix. When I say (or write) "fix" I mean something that removes the problem, if not entirely then at least to a sufficiently large percentage that the rest can be chalked off as "necessary risk". This just is not the case. Page obfuscation is a real problem.
Re: (Score:2)
Wrong. This crash has more to do with layout data structures than "filtering input".
and is subject to a remote compromise.
Only some types of crash bugs [squarefree.com] are exploitable. If this happened on Mac, we'd probably already know [squarefree.com] whether this crash was exploitable.
Firefox is only about 2/3 better (3 pages vs. 8 pages) judging by number of CVEs*.
Your link is broken (I get a cert error), so I can't tell you what
Re:No. You're kidding. Can't be. (Score:4, Informative)
Umm... 9 days ago?
http://secunia.com/advisories/26201/ [secunia.com]
The vulnerability is caused due to an input validation error within the handling of system default URIs with registered URI handlers (e.g. "mailto", "news", "nntp", "snews", "telnet"). This can be exploited to execute arbitrary commands when a user e.g. using Firefox visits a malicious website with a specially crafted "mailto" URI containing a "%" character and ends in a certain extension (e.g. ".bat", ".cmd")
This command would make firefox go "away"
mailto:test%25../../../../windows/system32/tskill
Re: (Score:2)
Re: (Score:2)
I would say though that a browser should *never* trust input, whether that input is from a webpage or being executed via a command line. So not only does Firefox not quote out URI parameters, it doesn't verify input either, so it gets a double whammy on this one.
http://msinfluentials.com/blogs/jesper/archive/200 7/ [msinfluentials.com]
Re: (Score:2)
I have yet to use a browser that cannot be crashed with a webpage (except for Opera *eyes glitter*). And the list includes IE, FireFox, and Safari on Max.
Re: (Score:2)
Read it again:
"Bring Down Internet Explorer In Six Words"
Note that it does NOT say:
"OMG!!! Dooomsday!!! Internet falls apart at invocation of 6 words!!! News at 6!!!"
Note that it also doesn't say:
"Bug found in IE"
Rather, it per
html source is: (Score:2, Interesting)
</style><table><input></table>
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
mshtml.dll! 7dcaac6e() mov eax,dword ptr [ecx+4]
7DCAAC6C nop
7DCAAC6D nop
7DCAAC6E mov eax,dword ptr [ecx+4]
7DCAAC71 test al,1
7DCAAC73 jne 7DCB3229
7DCAAC79 and eax,2
7DCAAC7C ret
7DCAAC7D nop
Not that I have any clue what that means since I never learned assembly
Re: (Score:2)
Re: (Score:2)
I think I can explain this (Score:2)
Dr.Who (Score:3, Funny)
Re: (Score:2)
Why go to all that trouble? (Score:2, Funny)
No big deal. (Score:4, Insightful)
MSFT should try to fix the bug that is crashing IE, because crashes in IE have a tendency to become a remote execution bug later. But still, no point in bashing MSFT on this issue. Browsers crashing on malformed input is well known. Firefox, my fav and only browser, too crashes often on malformed input. There is this thing called fuzzing, sending deliberately malformed input to the browser and see what happens. Firefox used to crash more often than IE under fuzzing. Now they provide fuzzing tools for their testers to strengthen mozilla products.
Common to Trident? (Score:5, Interesting)
If it's Trident that's bringing down IE, then you're looking at HTML code that could also bring down Windows Media Player, several versions of Outlook and Outlook Express, MSN Messenger, Steam (from Valve), and other applications which use it to render web pages. I think at least some versions of Winamp used trident as well, but I'm not sure about that.
Re: (Score:2)
Re: (Score:2)
IE Usage @ w3schools? (Score:5, Informative)
Yeah, but don't you think w3schools would be a bit biased? W3schools is a site full of tutorials and information for developers. Developers tend to prefer FireFox due to its robust plugin system and some of the excellent plugins for that system (Firebug, Web Tools, etc.) so I'm not surprised that FireFox has a higher rate of use on such a site. In fact, I am surprised that it's not higher!
Re: (Score:3, Informative)
Still, this is
*Six* words? Amateurs. (Score:2, Funny)
As any pimply-faced 14 year old surfing the web alone in his bedroom could've told you, all it takes is your Mom unexpectedly calling your name from right outside your door to cause IE to be shut down immediately.
So? One can easily crash Firefox too... (Score:4, Informative)
I suspect all of the Mozilla based browsers will effectively die if one throws enough "heavyweight" pages at them (i.e. those which are activity heavy [because there isn't a Javascript/Active HTML/Animated GIF scheduler]) or run out of swap space (again because memory allocation failures are not handled gracefully).
IMO, developers place too much emphasis on feature enhancements rather than making the existing browsers run reliably (bugs shouldn't linger for 3 years), with a minimal machine footprint (Netscape 4.7x required significantly less memory than Firefox) and effective priority scheduling of the "top" window (user responsiveness).
No good statistics to my knowledge (Score:2)
Old news (Score:2)
Bigger news is why is it still there?
Also crashes Outlook... (Score:4, Informative)
Re: (Score:2)
Safari can beat that (Score:2)
Big deal. I can crash Safari 2.0.4 in two clicks. Enable Slashdot's new discussion system and click on a 'Reply to This' link. Press the Back button. Crash.
Doesn't crash in Mac OS (Score:2)
Re: (Score:2)
One Javascript command (Score:2)
for (x in document.write) { document.write(x);}
Was a great prank (ie, a sig link saying "IE USERS DON'T CLICK HERE"). Heh.
The Barry Bonds Bug (Score:2)
The Six Words (Score:2)
I know it's real subtle... (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
He's one of the company owners, and gets all pissy if I even install a security update on his machine. But if he wants to risk losing his QuickBooks when his computer eventually gets 0wned through IE6, well, that's his problem then.
Another site (Score:2)
I tend to use http://www.w3counter.com/globalstats.php [w3counter.com] more than the w3schools stats, they're usually more accurate since w3schools has a very specific audience.
These guys have some interesting statistics:
http://marketshare.hitslink.com/default.aspx [hitslink.com]
I won't speculate on the accuracy of these sites but it's interesting to compare the w3 statistics with the hitslink.com statistics. Linux for example gets twice the share on the w3 counter as on the hitslink.com site. Vista gets fewer hits on the w3 counter than on the hitslink.com site, it's currently standing at 5,4%, I thought it would be in more widespread use by now. The older Macs are completely missing from the
Re: (Score:3, Insightful)
It may be more accurate, but still not very, considering that it says that Latvia makes up 4% of web usage.
Re: (Score:2)
Re: (Score:2)
The difference is, though, that you can take my MacBook Pro away from me when you pry it from my dead cold fingers... Expensive or not.. Other than some minor quirks, I am so much more efficient during the day on my MacBook Pro than I ever way on Windows...
Re: (Score:2)
hee hee hee
Re: (Score:2, Funny)
Re: (Score:2)
let me count for you (Score:2)
2. {
3. position
4. :
5. relative
6. }
actually, these are the 6 words (Score:2)
2. *{position:relative}
3. </style>
4. <table>
5. <input
6. </table>