Slashdot Mirror
HTML Rendering Crashes IE
SlimySlimy writes "According to this article on Secunia, a new IE exploit was found that crashes almost any version of Internet Explorer past 4.0 with just 5 lines of plain HTML code (no JavaScript, ActiveX, etc.). If you're very brave, you can test/crash your IE by going here." There's also a note on SecurityFocus.
Here is their story
Infuriate left and right
Could wreak havoc in html-enabled forums
-1 Uncomfortable Truth
It seems that IE 5.x on MacOS X is not affected by this. Not that it's such a big deal, I imagine any affected Windows versions of IE can be relaunched and people will just avoid going to places with such code. I fail to see the significance. Oh well, glad to see their Mac port is more stable in this regard.
"I like systems, their application excepted", George Sand (French)
I use galeon most of the time and it crashes often too... Just put this in a document
<body onblur="javascript:self.focus()">
browse it, and galeon will crash (as of 1.3.3.20030419). Do the same in mozilla, close the browser window, and it will segfault (version 1.3).
strangely it doesn't crash IE for the mac!
Well, just to note, the Mac OS X version of IE did NOT crash. However, anyone using IE on mac when Camino, Mozilla, and Safari are well put together should have their head examined. Don't forget Opera too.
The bug seems to be Windows only....so the Mac coders at MS may be better coders...who knows.
-gabe
Seconds after reading this, I tried this out on my own, slightly modified.
:(
input type giveBoBathan$1,000,000USD
Unfortunatly, Microsoft must have known of this potential exploit.
--Travis
EOF
I knew it! IE is just a bunch of smoke and mirrors that makes you think you are surfing the web. In actuality it is just a viewer for a big snapshot of the web, downloaded with each 'patch' from MS.
.txt files..
Now if they can just prove that Word, Excel, and Access are nothing more than a specialized viewer for
I've now implemented it at my site! phrenetic dot to Muhahaha!
Girls are strange. They don't come with a man page.
-- Michael Mattsson
Agreed. IE for mac is insanely slow compared to its alternatives.
This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!
Not only did THIS version of IE crash, but the others I had open did too!
:)
It crashed only a single IE window on my pc. I run IE 6.0 on XP with all the updates, but maybe it has something to do with the 'Open folder windows in separate processes' option I have enabled.
It's not a serious vulnerability, but it sure is a very embarassing one
Well, it would seem that there are a number of people who would like to post regarding this bug crashing different versions of various browsers. I guess I'll post mine here:
Crashed IE 5.50.4522.1800CO with SP1 on a WYSE Winterm running Win2K in a Citrix environment.
In order to be immortal you must be organize
Does it have to be ``type crash?'' Why would ``crash'' be hardcoded into any library? It is just the lack of the ``='' that's doing it? I'd try it myself, but I don't own a copy if IE. Can anyone confirm?
OK everyone, reboot to Windows and click that crash link until you get bored. Be sure to send Micro$uck an error report every time!
Just tried it. I get a plain TYPE=TEXT style input on the page, and View Source works correctly, too.
Ahh, for once it feels so good to be obsolete.
CAn'T CompreHend SARcaSm?
..and my Konquerror didn't crash. Somehow I'm not suprised.
just typing in ..will cause it to crash...interesting to see if any other unclosed tags rather than 'input' do this.
Comment removed based on user account deletion
To enforce web standards. Just have the browser crash when the code isn't up to the standards.
people are up in arms over this because it's an ms blunder. It does nothing more than simply halt your browser. As many can testify, halted browsers happen with any of the many browser flavors available.
/. and trolling about MS is ok, but I mean come on, how could anyone see that coming.
I heard someone suggest they hire better testers? How was anyone supposed to test for this. I know this is
The fact remains though that this crash isn't really that big of a deal. Sure it crashes IE, but it's not like most content webpages want their reader's browsers crashing when they reach the page. Who do we have to worry about? HTML enabled web boards? I have to worry about someone linking c:\con\con as an image everytime I click a link. You just go on with your life. If they are stupid enough to have html enabled then it's their problem, not MS's.
NJ Local Music Scene
Try the page:
<input type crash>
Looks like the bug has something to do with an <input> tag not inside a <form> tag. Curious.
Just one line is really required:
According to a post on bugtraq:
IE tries to compare the type of the input field to "HIDDEN", to see if it
should be rendered. When there is no type string, a null-pointer is used.
mshtml.dll calls shlwapi.dll#158 @ 0x636f0037 with a pointer to a static
unicode string "HIDDEN" and a null-pointer.
shlwapi.dll#158 does a case-insensitive comparison of two unicode strings:
it reads from address 0x0 because of the null-pointer and thus causes an
exception.
This is not exploitable, other then a DoS because there is no memory mapped
@ 0x0 and even if you could load something there, you could only compare it
to "HIDDEN" which gets you nowhere.
WinME? I feel for ya... I would endure a thousand browser crashes on 2000 or XP to avoid any pull-the-plug job on ME.
--------
Free your mind.
I bet it's > 50%. Not that any of these fanboys will admit it...
<html>
<head>
<style>
{
position: fixed;
background-color: green;
}
</style>
</head>
<body>
<table border=1>
<tr>
<td class="header">sdf</td><td>sdfsdfsdf</td>
</tr>
</body>
</html>
You have to mouseover the table cells and you will get a gpf. Should work on IE 5.5 and 6.0.
note: there is a bogus semicolon after the
There were some NES games (and i think even some SNES games) in the past that had various codes and such (like the famous Konami code), and some games even had a reset code. This basically just reset the game by giving a specific key sequence (usually just hold every button down) and boom, the game resets with out you needing to walk up to the console.
/.'d through too many users sending in bug reports?)
Perhaps the ms ie engineers were just too lazy to hit the x button on ie so they developed this nifty little "feature" to make restarting ie that much easier. How?
Simple... make an htm doc on the desktop, put in these 5 lines, make it your homepage (obviously this prevents loading ie to begin with, but you can just load some other page first) and since home can be gotten to with some keypresses, this means it can be bound to the mouse buttons in some of the newer models.
And there you have it. Instant ie restarting from your mouse! You don't have to waste time clicking the x and then double clicking the ie icon. Genius!
(BTW, perhaps ms can be
Actually only one line of HTML is required:
<input type>
As someone on BugTraq already figured out 10 days ago, it's caused due to a null value for the type attribute.
Just tried it, and it DOES crash on the latest fully patched version of IE.
/. crowd hasn't yet embedded these 5 lines into the slash code!
Anyone actually *look* at those lines of code? It's just:
<html>
<form>
<input type crash>
</form>
</html>
I'm surprised that the
Comment removed based on user account deletion
does what any decent browser should do, and treat it as and substitute the default type=text for the unknown type, and ignore the unknown attribute "crash".
Heh. Thank you so much for porting a better IE to the Mac, Billy...
For the lazy you can reproduce the problem with just the one "input type something_invalid_here" line.
:P
The HTML and FORM tags are just a little more proper
I cannot confirm my self... now Windows machines here...
I have looked all over my computer for this IE thingy you all speak of. I cant find it anywhere. I typed "whereis ie" in the console but nothing turned up. I typed find / -name IE and again nothing. I looked for a man page found none. I clicked on the gear icon thing and looked though the programs installed I dont have it. So I typed apt-get IE. No luck. Must be some obscure piece of software that I cant find. Guess I am better of WITHOUT IT!
what fun, just set it to your homepage, then have it restart explorer automatically once you send in the error report. Hours of fun for the bored slashdotters....
Didn't crash my browser. Oh wait, I'm using Safari. Good for me.
I think, therefore, I'm smarter than our president.
(C) Kaki Sain, 2011. By reading this, you have illegally copied my property to your brain.
If you skip over the assembly instruction that causes the exception in a debugger, everything works fine. So if anyone pulls this trick on you, just open the debugger and skip the instruction. :) That, or get a better browser.
using namespace slashdot;
troll::post();
Slow news night, eh?
No, this is actually well known. IE for Mac got way ahead of IE for Windows, so the group coding the Mac version was dissolved a few years back to slow down development.
<html>
<form>
<input type crash>
</form>
</html>
you are basically asking it to crash at input and it obeys like a puppy. What's wrong with that ? Just becos Mozilla doesn't have this crash at input feature doesn't mean...
me rushin 4 HTML101 labs... byeee
getSexySig();
You must be new.. Welcome to Slashdot.. I hope you enjoy your stay. The restroom is in the back but please don't piss on the computer under the sink.
Yahoo? MSN? How about embedding that code in the chat rooms :D or IM windows, and more.
Lots of applications DEPEND on IE COM Components to do web stuff. ALways a good reason to update IE even if you dont use it, other apps do.
The error is invalid page fault in shlwapi.dll
..although placing this in the middle of a page doesn't always work:
DLL Name: Shell Light-weight Utility
Library Description: Contains utility functions for handling paths, urls, strings, registry entries and color settings
Interesting that this dll can also 'handle' registry entries....
In fact, the 5 lines of html can be reduced down to one:
<input type>
<html>
<head>
<title>foo</title>
</head>
<body>
<h1>foo</h1>
<input type>
</body>
</html>
type seems to be the only attribute that has the desired effect
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
Who else couldn't resist from clicking on the link that would crash IE?
Microsoft ME stands for Miserable Edition. What did you expect?
Lots of hot air. Where is the time when, if you found a problem, just mailed the author saying "if you do this and this it will break." instead of writing a hundred line advisory?
bash$
I bet it's around 90%...
Why is this a big deal? Because the largest software company on the planet has no better development practices and safeguards than some half-literate garage hacker.
It does surprise me... I mean, 'input type crash' ?? or is the input type significant or just for emphasis? It seems like what with 1-6, 8, and 9 of 9, plus all those eager-beaver interns and million typing monkeys at Microsoft this would have been caught earlier, unless the 'crash' thing was put there on purpose to intentionally cause a segfault or something so people could see what happens with all the activex controls etc. when IE does crash, and somebody forgot to remove it. Or, is Slashdot in permanent April Fool mode now? I hope so.
---The Vicar---
I haven't decided which is worse... The fact that such a silly bug exists, or the fact that it went undetected for six years.
A crash bug? Mozilla has none of those, right? Right? (seriously, if anything Microsoft should be proud that one pointless crash bug is such a big deal)
And now... Shall we continue to post all the bugs that crash Mozilla, Netscape or Galeon?
Who first?
The "crash" part is just for looks. It would still crash with
Leave off the html and /html tags. Kills IE milliseconds faster.
Nothing wrong with that, Phoenix being still an alpha product. But please do not compare it with mature products, even if they are from Microsoft.
Also I don't understand why there are so many threads when nothing is going on (no download in progress and a single page shown).
Ciao
----
FB
I run MS Windows on my laptop and Linux on my web server and desktop. MS crap is good for some stuff and I am sure many Slashdot readers use it now and again.
It's amazing something like this went unnoticed for so long. I have no doubts this example will be cited for years to come when advocating the importance of open source. It makes me wonder what stress/syntax tests, or the lack thereof, MS's bug testers/quality assurance people did.
All I can say is Wow.....and LOL.
-Look lively. LOOK LIVELY!!! --Mr. Shmallow
http://oca.microsoft.com/en/Response.asp?SID=96 and the clock is ticking
According to a post on bugtraq: IE tries to compare the type of the input field to "HIDDEN", to see if it should be rendered. When there is no type string, a null-pointer is used. mshtml.dll calls shlwapi.dll#158 @ 0x636f0037 with a pointer to a static unicode string "HIDDEN" and a null-pointer.
I've crashed IE 6 several times with this HTML just fooling around, and each time, an exception is raised, a debug report generated, an optional offer is made to submit the report to the OS manufacturer to inform them of the problem, upon which immediate technical support is often given. After that action is complete, the OS remains stable, and the crash can be repeated ad nauseum, experimenting with different tags/debugger experiments/versions.
That is in a consumer OS (XP Home) that costs less than $100, and has tens of thousands of commercial apps available in almost every language. (probably millions if you include shareware/freeware)
Whether it's my mom or another engineer, I feel pretty good about telling them XP is a solid OS that can do what they need. (likewise with IE)
Not many years ago, it would have seemed pretty petty to obsess about such a bug--and that's when it would've forced a reboot.
I'm not shy about criticizing MS when appropriate, but to come from Windows for Workgroups to XP in 10 years is pretty impressive, especially for a company of its size.
If it were me, I'd spend my time debating the Software Formerly Known As Palladium, and not lose the forest for the trees by mocking MS for this kind of item. I fart bugs bigger than this.
Machines take me by surprise with great frequency. -A. Turing
- This crashes explorer as a whole, due to integration
- To do it, use an [input] tag outside of the [body] tag, name the property "type" but don't define it, ie: [input type], not [input type=text].
ta-da.
-- 'The' Lord and Master Bitman On High, Master Of All
I don't particularly like Microsoft, but this is really not much of an "exploit". Mozilla crashes, Galeon crashes, Phoenix crashes, Safari crashes, and IE crashes. They crash due to particular snippets of JavaScript, DHTML, images, and plug-ins. As long as people keep writing end user applications in C/C++, they will crash. But they do so rarely enough that apparently most people aren't really bothered by it.
Just the single line: is enough to crash explorer. Keep in mind though that it only works if the input tag is not inside body tags. The code above does not crash the browser so if you build your HTML pages properly this bug should not affect you. Also, no chance of using it on forums or others.
Tested with the Opera and Mozilla browsers, both on Windoze and Linux platforms, the exploit doesn't affect any of them.
IE on the other hand, crashed.
By the way, here is the entire "exploit code":
<html>
<form>
<input type crash>
</form>
</html>
Muchas Gracias, Señor Edward Snowden !
Unfortunately, 0.5 is very old and there are only nightly releases since then. Try the nightly build from March 20th. It haven't managed to crash it once in those weeks.
You know what, writing a web browser isn't easy. But not even Microsoft, with all its pro-Microsoft zealotry(!), has a forum which publishes a blow-by-blow list of every bug or vulnerability found in the 58 Free/Open Source browsers. "WE ARE BETAR THAN GAH-NU" is left to be dealt with in a childish way by the marketing dept: after all, the only competition they have (marketing wise) is.. well.. stuff like this forum.
I used to consistently crash Mozilla on some Hotmail pages.
Is it me, or did the phrase "Hotmail isn't done until Mozilla won't run" run through anyone else's head when they read that?
Maybe Slashdot is affecting me more than I thought. (If this post turns up twice, we'll know for sure...)
Jay
World is round.
Crashed mine. Version: 6.0.2800.1106.xpsp2.021108-1929
I want to see some simple HTML code that will crash a spammer's email harvesting web crawler. Now THAT would be "News.*that matters..."
It's a bug in the document.
What happens I guess is:
1. You move the mouse outside the body to an image or off window.
2. That blurs it.
3. It wants focus, but the mouse is off the window.
Somewhere javascript is point to self, so it runs focus, but the mouse is not on an object with any relation to javascript.
This one may just be on the boundary between what is and what isn't.
The message on the other side of this sig is false.
Write a worm that sets everyone's home-page to this... so very evil.
Yeah, I use the windows copy of phoenix and I have zero problems with it. In linux I just use Mozilla.
This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!
.sigs are useless; it doesn't protect you from imposters.
Christ, it went undetected for 6 years because it's bloody invalid code. Look at it, no webmaster in his/her right mind would ever markup anything like that. Head over to the W3C for info on how to use the form element http://www.w3.org/TR/html401/interact/forms.html.
Better yet, run the markup through their validator http://validator.w3.org and see what the hell happens.
"This HTML also crash Outlook" Sweet, I just found what to auto answer to all my spam. Of course with a subject line that says: I am very interested to buy your products.
Yahh, hiii haaaaa! -Major Kong, from Dr. Strangelove
This really isn't a bad way to break IE in the same way Microsoft broke Opera. I guess I will have to do that to the html docs I host on the web... whatever those are.
This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!
I mean, geez, you'd think that with a rep like MS that people would be expecting it!
Maybe... but it sure is fun to e-mail these kinds of storys to all your MS loving friends!!
Geee, thats almost as bad as the file:///C|/con/con thing that crashed the whole of Win9x.
Do you ever notice that when Microsoft makes a Mac version of a piss-poor Windows product that it tends to not suck [as much]?
Somewhat. When it comes to Office, I prefer the Mac versions to those for Windows. Perhaps it's because MS had some extra time in bringing the Mac versions to market. (MS Mac Office 98 / MS Windows Office 97.... MS Mac Office 2001 / MS Windows Office 2000.... Office v.X for OS X doesn't really count as it's a hybrid of Office 2001 and Office XP). The look and feel seems easier to live with and the Entrouage email/calendar/pim app is a lot more sane than Outlook (though is lacking full Excange integration).
MSN Messenger for the Mac is a pretty smooth little app... single file to deal with and none of the virus-like atributes of the Windows version.
MS IE for Mac was pretty good back in the days of Netscape 4. But these days there are MUCH better choices for Mac users.
Windows Media Player for the Mac (they need a better name for that app) works, but feels like quick and dirty port... I wouldn't be surprised if it wasn't done by the MS MBU (Macintosh Business Unit -- MS's Mac software team located in the Silicon Valley).
Whats wrong with you people?
/. were to use this code/bug/feature, would that keep the trolls away? ;^)
:P
;)
:P
This is a *SPLENDID* way to keep internet exploder (l)users away from webpages.
You don't want the average person to visit your website? smiple, insert 1 wee little line of code, et voila, bob's your uncle.
Come to think of it...if
(Hah! syeah right! Wishfull thinking
<wonderful dream>
It'll take 6 months before micro$oft fixes the problem, so that'll give the rest of us six months of troll-free slashdot happiness
<reality>
Having said that, I'm using Exploder on WinMe to submit this post - but mind you, it's the first time in 2 months I've been anywhere near windows - and yes, thats a real bug, it did crash - exploder only though...I figured windows would keel over with it. How eh...dissappointing
Ironic thoughts for the day:
1) this IE bug WILL become a feature.
<insert appropriate marketspeak here>
2) This post will get rated 'Troll'
I read this note on "how to crash IE in five lines" and thought I would email it to a friend. So I made a little text file with the five lines and, perhaps foolishly, gave it the name of crash.html. I then wrote the email (in Netscape) and all was fine. Then I wanted to delete the file. Oops
Simply selecting the file in the diretory and pulling up the right button menu crashed Windows Explorer and my laptop went to heaven. Just be sure I tried again this time debugging it with the Cancel option: still a dead laptop. I deleted it by deleting the whole diretory.
I couldn't find any comments on the bug affecting anything other than IE. But it does.
I got this story rejected on: 2003-04-24 21:46:57
Would have been nice to give people more advance notice of this!
I tried option , so if they can handle 32+ length, soon there will be no money at all. ;)
just wait a bit
Oooh, big roller coaster (browser).
Of course it can break (crash).
Slashdot: But the operator is drunk (it's a coding mistake in something independent of the browser).
User: Nah, it's too huge, can't ride on it.
The parser is broken in one small place in a very simple way that any coder should be able to catch.
The message on the other side of this sig is false.
This is kinda like the reason I don't moderate -In my profile - "I'd like to moderate, except IE goes beserk if there's more than 20 comments to moderate"
... yeah, that'll do.
Moderation boxes glitch and redraw all over the window when scrolling, or IE doesn't finish loading the page at all.
Anyone else seen that? Maybe I should submit it to slashdot. "SLASHDOT CRASHES IE!!"
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
This is as serious as I am drunk. Very. However, I could see the necessity of the "exploit" to crash someone's browser through HTML since this seems to be intentionally allowed (from the exploit: ) which is perfectly good...oh wait, I only see that because intoxication has the better of me...good thing there's mozilla!
sig: There are two mistaakes in this sig.
..and my Konquerror didn't crash. Somehow I'm not suprised.
Well duh... considering this is an IE bug...
Do you also have a lot of threads show up when you run Mozilla? I believe this is a problem with the way top and the kernel identifiy threads, causing it show a bunch of extras. If you do have Mozilla running and it doesn't have this problem, my apologies.
And I agree it should not be compared to IE.. There are messages to other developers in the options setting (unprofessional to say the least)... "XXXben we need at least a toggle here..."
Hopefully 0.6 will be out soon, there are already tons of new features in the nightlies. Skin swapping without restarting, the completely redone preferences section, etc etc.
I'd better send Microsoft the automatic report they like so much...
And again to be sure...
And again....
And again....
Dude, where's my Karma?
I see the significance in two ways right now:
Digital Citizen
... and will email it to all your friends as well.
BugFix Q3823982
This patch solves a vulnerability with Microsoft Internet Explorer Versions 4.0, 5.0, 5.5 and 6.0. A missing validation allowed snippits of code such as <form><input type cras.....
-----
This program has had a critical error and must be shut down...
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Doesn't crash Safari. Wha' Wha'?!? Can't phase dis' shit!
I made some experiments and this bug is not that serious, if you use IE correctly.
IE has a feature, Mozilla/Firebird and Opera sadly don't have: IE can run in multiple processes.
If you open a new window by clicking IExplore.exe instead of pressing Ctrl-N, the new window runs in a seperate process. If you visit that crash page, only the one IE process crashes while the other processes stay unaffected (at least on NT based systems).
OTOH if a page makes Mozilla crash, the whole app suite goes down. The process seperation with Firebird and Thunderbird is a step into the right direction, but different Firebird windows do still run in a single thread.
I hope those kind of crashes send a message to all app developers (*cough*OpenOffice.org*cough*), to use multiple processes if possible (at least optional, because that would use more RAM).
I mean, hurds of people must have mistyped the input type tag at one point or another, how come we never heard of this before?
your browser is crappy
due to an error in shlwapi.
when I browse the tag "input"
Exploder goes kaput.
For great justice take off every sig.
Am I the only one who has noticed that this is obviously some debugging? They would have used such an instruction to test the crash recovery stuff, make sure data isn't corrupted during crashes, etc. etc. etc.
It doesn't qualify as 'exploit' or 'bug'. It's not a security risk. It's not even a problem. IE crashes all the time anyway, you just re-start it (or you can even have it restart automatically) and you're back where you were (before clicking the link, presumably).
Although this gives me an idea... what if you managed to set someone's default URL to this? Might take them a while to find out what's going on.
HTML clients are supposed to do skip over input they can't render. And in general, software should do something reasonable when it can't deal with input. Like deliver an error message. Crashing is always evidence of a bug, whether the data that caused it is buggy or not.
If someone has left this around since 4.0, why haven't all these security audits Microsoft claim to be doing haven't found that out yet? Are we still to believe that they actually spent a whole month in early 2002 just rooting out security holes, when they didn't notice this? Or is someone going to try and say that they /did/ notice it and then deliberately didn't fix it, on the grounds that it's just a bug and maybe not technically a security hole? Come on, really...
Andrew
In other news, Microsoft has released a 10.2MB patch to get rid of a vulnerability in IE that malicious websites could make use of to crash the browser with 4 lines of code.
I tested it a couple of dozen times and sent the WinXP error reports of to Microsfot like any good windows user would...
another Roadkill on the Information Superhighway
No, if that does indeed crash an application it's a bug (and I'll assume, for the sake of argument, that the parent is correct even though other posters have stated they can't get Mozilla to crash from this). Applications should not respond to any input by crashing and applications should give the user a chance to lose data because someone on the net essentially (perhaps inadvertantly) instructed the application to crash.
I appreciate the logic of the loop you're describing, but the proper response to that is not to crash or enter some state where a user's data can be lost.
Digital Citizen
This makes it on to slashdot, but bugs like this Netscape exploit didn't?
I deleted my sig years ago.
I'm running IE 5.x and it crashes constantly with any help from a few lines of html.
If I currently have two windows open in Mozilla, and one of them has Javascript that goes into an infinite loop, the correct behavior is not for the entire program to crash, taking both windows down with it.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
It still barfs, and it barfs in a slightly different color, but less often. Experiment with nightlies. When you find one that doesn't barf too often, go with it.
this is one of those times when I wish I had mod points. AH... maybe someday.
Good judgment comes from experience, and a lot of that comes from bad judgment.
Evei if it is a bug in he document, the browser should never crash.
No offense, but many Alpha-products are perfectly comparable to ultra-mature Microsoft products like IE or MSOffice.
Especially Phoenix/Firebird/Mozilla-Browser/whateveritscalled now which is very stable at least on my installation.
...HA!
Seriously.
lol, explorer 5.5 under crossover office also crashes :-P
This does not just effect IE, it also appears to effect apps using the IE html rendering engine including Outlook Express and Frontpage.
Try sending someone the crash code as an html e-mail. It crashed Outlook before even previewing. SHIT.
I sincerely hope anti-virus software blocks this one soon.
I just pasted the code into mozilla mail and emailed my outlook express 6 client and it caused it to crash. (Go figure)
I haven't tried outlook 2000 yet. Anyone want to give it a shot?
"Every security scheme that is based on secrets eventually fails." - Steve Jobs
If you really want to prove a point, make sure its an html email then.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
One HTML-Message posted in a Newsgroup and containing the line "<input type>" (Shortest form of the exploit...12 bytes to crash IE) will kill all Outlook Expresses who try to read it (remember that OE _always_ displays the HTML-Version of the post), leaving the users puzzled and perhaps "insightful +5"...
I wrote:
Obviously I mistyped and the above should read "...applications should not give the user a chance to lose data..."
Digital Citizen
I think this bug isn't dumb, it's the most
clever backdoor ever created...
Opera 7.10 on Win 2k just gave a blank page leaving the other pages up and running no matter what identification I set it to.
Cuiusvis hominis est errare; nullius nisi insipientis in errore perseverare.
I tried it in Netcaptor which is based on Internet Explorer--the page opened and the error message popped up, but Netcaptor kept on chugging. It's really a great browser. Offtopic, but when is Mozilla/Firebird going to incorporate something similar to Captorgroups. And don't even mention that multiple bookmarks on startup, that's not the same thing. Captorgroups are much more versatile.
I just tried it with
:-}
and that did it as well - who need 5 lines
they will have to contact me directly once they realize they can't mark the assignment if they can't read it, and i sent the email on time, so they can't give me zero...
that's a (wild guess here) three day extension for most emailed assginments.
Wa-hoo!
yes, professor,i have a copy of the file i sent you...
Microsoft...why bother?and there's a half-decent CYA, "i erased the email - my spool was getting full." this won't work if they're willing to switch email clients to something sensible that doesn't choke on the message
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
IE CrASHeS U!!!
The Mac Team at Microsoft seem to be a lot better at putting things together than the PC Team. Internet Explorer is actually quite nice to use on a Mac, as are things like Office.
Yep, Opera 7.03 on my Win95 system does not really need any HTML code to crash. It just casually does it from time to time to give me a break.
And undeservedly. People who could not see the potential for the web and understand that a critical application like a web browser must be made crash-proof should be corrected. Not by pointing and laughing, but by careful and patient explanation about how more people in everyday society depend on a well-functioning web browser that can handle any input (including input from potentially hostile webpage authors) without crashing (and thus losing what could be valuable data).
What has changed since the days when people used Netscape's version 3 browser is an increase in the number of people who use web browsers for important work. Developers who don't take this concern seriously are not developers one should trust with important data.
Digital Citizen
Just imagine : a spam mail using that code going to millions of IE / Outlook users... This would at least have one positive effect : Make the consumer aware that Yes, there are bugs and security issues in Windows and IE. You can no more read your email...
Shouldn't it be possible to crash outlook by sending a html-message with those strings in it, since outlook is using the IE render engine?
I am now going to integrate this code onto all the websites I can change.... (all of 1).... and force people to use Mozilla.
I think this story is just a troll!
-- Many men would appreciate a woman's mind more if they could fondle it
in related news, the microsoft operating system is buggy and full of holes.
killed ie6.0.2800.1106
LOL! :)
Funny but interesting at the same time.
Some one mod that one up.
Last time I checked I could still crash Mozilla with onSelect="select()" or an onFocus="select()" in a <textarea>.
They all have bugs to some point. You're a fool if you think otherwise.
Because "Plain Old Text" on /. is just HTML without entities and with significant whitespace.
I turn off ActiveX and Java on IE here and still, it manages to crash. This is serious.
What does Java or ActiveX got to do with it? It's an html parsing error.
Doooooooood.... Time to get new friends! ...Ones that aren't clueless fuckwhizzles.
Using IE6 on WinXP prof. with all SPs and updates installed.
IE version: 6.0.2800.1106.xpsp2.021108-1929
but I cannot see any obvious reason, WHY this happens. and WHY this only happens, when you put the mouse over the cell...
actually a bit mysterious to me
(Also checked: Mozilla 1.4a renders this page fine and has no problems with the mouse hovering over the cells. Again, mysterious, eeeeh...)
Yes boys and girls it is true! I went to that page and it locked XP Home to the point of holding in the power button to turn it off so watch out!
IE is for losers too stupid to use a real browser and Microsoft knows it
that's really funny.
ie 5.00 collapsed instantly
but then i read the code, "input type crash'?
anyway, as it turns out the word doesn't have to be crash.. you can use any word you want, i used "killie" and got the same results...
The secret command is crash? That's the kind of null pointer exploit command an idiot would put on his luggage!
There are always people here on Slashdot that mock the rest of us for pointing at M$ errors and starting to jump up and down and scream like monkeys.
... Reboot, reboot, reboot, reboot. And this is just an example.
... guess what: REBOOT
Well, I get asked almost everyday by my friends why the hack I made the switch for my desktop computer from Windoze to Linux, when it is so complicated and frustrating sometimes.
This is a good example why I did. I got stuck with a desktop machine that for some reason lost its TCP/IP ability after some time using it for no apparent reason. The only fix was to reboot it. And I got veeeery tired of reboots. In Linux I could have just mailed the creators of the drivers and have a high chance of resolving the problem if I include a core dump. In Windows I just kept switching every possible driver for my SCSI card, sound card, nic, mb
Nowdays I use a laptop. Since I use it in my room mostly I have it plugged in and I can just put down the lid and send it to sleep (suspend to RAM). When I want to use it I just open the lid. I boot up in 3 seconds. I have Win98 preinstalled on the system and it still sits there (on less space) and I could maybe do one or two suspend to RAM after which it wouldn't wake up anymore and I had to
Disclaimer:
OK, this is not a reboot bug, but one that can be verry annoying and could be dresolved by writing to the mozilla developer team and have it fixed in the next release in one or two month. I doubt if Microsoft will ever issue a fix.
Have one IE window open, then right-click on the page you want to go to (with the nasty lines of code), select open in new window, and only that new window will die.
Not as big a deal as I had thought. I figured it would kill all instances of IE in use (and probably explorer as well.)
The Windows Media player for mac was an unofficial port, it was actually done by like two people in their spare time within the Mac BU!!!
talk about dedication! Perhaps with all the recent competition coming from Apple, Microsoft may begin to put more resources in Mac Development.
I saved the html file to disk so I could see the offending lines. It crashes Explorer file browser just by clicking on the file. I figure it is trying to render the little thumbnail view.
Way to go backdoor Bill!
I mean, IE implements the tags correctly and you all just noticed? Yet again we see that Microsoft IE is ahead of the game, implementing useful tags that the w3 hasn't even thought of yet.
Why is it that Microsoft is saddled with the burden of creating useful standards? Isn't this supposed to be the job of the w3?
I expect we'll have to wait a few years to see it in Moz and by then, microsoft will have implemented <input type explode into tiny pieces> or something even more spectacular.
Robots are everywhere, and they eat old people's medicine for fuel.
IE 6.0.2600 crashes on VMWare window at Windows XP... so funny hehe
http://www.w3c.org
nuff said.
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
this works in the homepage field of your beloved browser:
about:<input type>
oddly enough if the '=' is included here an input box gets rendered (I haven't seen any other tag that is rendered for the homepage field. Hmm.....
Mozilla 1.0.1 works just fine - displays an input box. Here is the page source:
<html>
<form>
<input type crash>
</form>
</html>
The Mac Team at Microsoft seem to be a lot better at putting things together than the PC Team. Internet Explorer is actually quite nice to use on a Mac, as are things like Office.
Compared to Safari? I don't think so, although I'll admit Office is about the best application in its class for Mac or any other platform. I've never tried Keynote though.
Safari has never crashed on me, is scriptable via Apple Script, has Tabs, blocks popups, and generally looks much nicer. On the other hand IE crashes, does not block popups, does not have tabs, is ugly, and may be scripable (I don't know).
The only thing I'll give IE, is that once in a while for certain sites I'll have to use it. For example my girlfriend must use it when registering for classes online. Safari doesn't cut it, although I believe Mozilla may for this task.
-Craig.
I don't know who has noticed, but I'm quite sure that IE for the Mac is a completely different codebase than IE for Windows.
In fact, IE for the Mac may be slow, but it seems to be much more standards-compliant than IE for Windows.
I have never been able to recreate an IE for Windows bug in IE for the Mac.
Then again, I agree with the parent post - there are lots of nice browsers for the Mac, and IE is my last choice.
I just sent a HTML email with this in to a friend who runs Outlook 2000. As soon as he got it, it crashed Outlook. Funny thing is every time he starts Outlook up it crashes again so he can't rmeove it. Disables his email program with one crafted email!
It's really not a bug - you're just moving your mouse too slow ;)
Open source is the art of letting other people write your bad code.
I repeat, it did not crash Lynx.
--Drunk as in Beer
I can't get IE 5.2 for OS X to crash with this bug (nor safari). Watch, now someone will come along and tell me I'm not crashing my browser correctly.
B
"I'm payin' taxes, but what am I buyin'?" -- James Brown
Last week, I posted right here the fucking code that crashes it, and two assholes moderators moderated it into "reduntant".
Only yesterday I was wishing that someone would find some kind of fatal flaw in Netscape Navigator 4.x to force anyone using it to upgrade!
I was having to make some beautifly crafted, standards compliant HTML/CSS work with the aformentioned thing.
Quick poll: Does anyone here actually use NN4.x ? (apart from for testing which doesn't count)
I don't know if anyone else tooled around with the code, and I haven't read through all of the comments in this thread, but this exploit will crash IE with any invalid input type. You don't need to tell IE to "crash", you can tell it:
<input type slashdot>
if you want, and it will still crash.
No, it's not.
I work on an industry-leading mathematical library. We rely, in a few places, on getting sensible input from our client apps. If they give us garbage, they have no guarantees about getting a sensible error back, or even about anything ever coming back.
Before you say that this sucks, consider that if we did completely error-check all input to ensure that everything terminated properly with the current data set yada yada, our performance would almost certainly take an unacceptable hit in each of these cases, and in this business, performance kinda matters.
In this case, crashing is not evidence of a bug, it's evidence of design priorities that don't match yours (but do match ours, and our customers').
(Obviously I'm speaking only for myself and not my employer here...)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
It shouldn't matter.
Browsers and the technologies on which they are fundamentally based were designed to allow the display of textual information in a somewhat formatted way. If the browser crashed, you should lose nothing but the page you were looking at, which you should be able to redisplay or display in another non-crashing browser just by opening up the address again.
The only reason browsers crashing matters now is because the industry has warped the technology and now tries to use it for totally unsuitable things. Browsers were never meant to be part of distributed applications where real data gets shifted around. The fact that so many apps now use a "browser" front-end is indicative of nothing but a poor choice of tool, as is the fact that crashes matter.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Damn. I thought that would be something fun to see, but now I have to wait until Monday when I can crash IE at work.
Note to Microsoft's Mac BU: please stop writing software which is better than the Windows stuff. It makes making fun of you less sweet.
"Smart is sexy." -- D. Scully ("War of the Coprophages")
it may just be me, but it seems that this was thrown in intentionally by a code monkey, probably for error checking. so chill out. or better yet, make sites that take advantage of it! i dont know about you, but i get pretty pissed at those sites that require certain browsers, plugins, etc. this is your chance to make the windows world use something *better* (mozilla, phoenix, etc). web developers unite!
I tried the code of the article and various piece of code given in comments and nothing can make Opera crashes or even make it behave funny.
Yet another reason to use it !
Intelligence shared is intelligence squared.
My PC handles this page without a problem. It might cause problems on older PCs. Of course, you could always put more than one such GIF image on a page.
Javigator works like a charm!
Just go to ebay, and do some advanced searches. Mozilla 1.1/win2k, on my machine anyway, won't last more than about 2 or 3 searches--really. Crashes hard _every_ time I forget to use a different browser. The first time I tried to let it generate and send the error log, but that locked up as well. In general, however, my past experiences have favored navigator about 10 to 1 over IE.
You don't need to specifically put "input type crash", as something like this also crashes IE:
<html>
<form>
<input type abc123>
</form>
</html>
---------
There is inferior bacteria on the interior of your posterior.
I can imagine the IE developers put this in there for their testing purposes, like for testing their automated bug reporting software. They probably just forgot to take it out.
MS did it on purpose for debugging purposes? Maybe a couple more tags like
<input type bluescreen>
<input type slow_machine_to_crawl>
<input type bsa_audit>
<input type flood_ISP>
exist and they just haven't been discovered yet.
Just for grins, I saved the file, and now can't delete it (without mucking around) due to the fact that the whole desktop crashes while IE tries to render the little thumbnail of the page in Exploder. And no--I don't have active desktop enabled.
Fun for the whole family!
Try to play .mpg or .mpeg files by clicking a link on a page and that seems to crash the current WMP 9 unless you save the file to disk first. STRANGE it doesn't affect wmv files.....fucking MS dickheads
OK, so that's another thing IE for Mac excels at then. Yes, it's more standard compliant as well, although IE 6.0 for Windows caught up a bit.
Beware: In C++, your friends can see your privates!
Why do Windows people get all these features. I don't even have a way to test it. Damn you Microsoft Monopoly. Damn you Konqui for refusing to crash when most needed.
it shook it off just fine.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Hell having IE crash and close a window on an HTML page that simply is not ever going to appear in the real world, whats the big deal? With the userbase IE has, the odd crash bug is really not a big deal at all. When I first used NetScape on RedHat Linux I managed to make it crash 5 to 6 times, one of which also took down part of the windowing system on KDE, which made the Titlebar and window controls disappear on all the windows I had open, only a reboot resolved it (oh yeah I had to call someone down from IT support to reboot it as the Linux machines are so tempromental that they dont always boot properly). the only difference between crashing on Linux and Windows is Linux just kills the window and says no more, at least windows keep you informed with a dialog box telling you that something happened.
I'll stick to IE, it works, its free, its the standard. If Netscape and others want to compete with it, heres some advice; make your browsers at least as good as IE before trying to get users to migrate to it.
Much too much time is spent on documenting the bugs in Windows. Resources are much better allocated elsewhere. Anyone who must deal with Windows knows that the easiest way to expose a security or reliability issue with this OS is to boot a Windows PC. Sheesh!!!
Fuzzle Horsey!
I think I just found my new email sig :-)
Things becomes interesting with these lines from SecurityFocus.com..
..so basically you can push a remote crash message to users of Outlook. All they have to do is look at your message, and the program crashes? Anybody got sacked and wanted to get back at their company, this could provide an opportunity to do that.. ..just email all users in the company directory.
"This HTML also crash Outlook, Frontpage, and all the Microsoft programs that use the shlwapi.dll library to render web code."
IE on Mac OS X is fine, no crash. So is pretty much any and every browser based on Geko.
-- DuckWing
that IE is part of the O/S?
That's beautiful. Can you say "Mailinglist Archives"?
Exactly! IE crashes because 80+% of the dopes out there use IE. True geeks use a good browser, like Mozilla, Opera, Phoenix, et al.
Problem though, just like linux, once enough people start using the alternative browsers, the people who find "bugs" like this, will start looking for ways to comprimise them. But, unlike M$, the open source community will squash them quicker, without waiting for 1000 meetings to determine how to fix it.
this sounds more like a command to me
I mean, "input type crash", the word crash just got my M$ suspicous deeds rolling.
Maybe this is a special pre-XP era piracy battle scheme. When users update their version of Windows and the CDkey or serial key appears to be jacked, they divert you to a "NEW" page, crashing your IE. Average joe might think, "oh no, must be me pieratted windose, gots to got me a real cupy instead"
sarcasm was seriously intended
That is in a consumer OS (XP Home) that costs less than $100...
r icingretail.asp
http://www.microsoft.com/windowsxp/pro/howtobuy/p
$299 as I read that page...
creation science book
Of course whenever MS is mentioned on /. everyone has to jump on the bandwagon and start taking pot shots, but in this case I feel it has backfired.
/.?
I've been using XP since its release and from the start I've enjoyed the overall system integrity it provides. I can't say that IE has never crashed before on me, but it has been very rare and I surf dozens of different sites every day. One thing I had noticed in the past, but wasn't entirely sure about until now, is that if a page crashes IE then it only shuts down the window that page was in.
With this bug I was able to test this and found it to indeed be the case. With several IE windows open I clicked on the link in one of them and only that window crashed.
Since no browser in the world is immune to crashing, this bug is more a testiment to the integrity of XP than a an example of bad programming in IE.
Let's face the facts, there have been many examples of real problems that have been found in IE that actually have potential for danger, this is not only minor, it borders on nothing. HTML is code right? Code is written by programmers right? Should not the integrity of the code be the responsibility of the programmer? You point the finger at the MS programmers because their code won't handle every possible code error of another programmer?
Have you ever written code that crashed? What did you do, debug your code or start firing off letters to
"" Is this some kind of a joke? You crash the app simply by putting in "crash." Priceless!
TANSTAAFL: It's not just a good idea, it's the law.
I just noticed that the tantek.com link I posted above crashes Webcore-based browsers. After posting the comment from OmniWeb 4.5 (which uses KHTML Webcore) I clicked on the link. OmniWeb crashed.
Since I'm using a "Sneaky Peek" version of OmniWeb, I thought that maybe it was just a bug in the beta code. I tried the same link in Safari and it crashed too.
I assumed that since this was a page on Tantek Çelik's site the CSS would be valid. The page flunks the HTML validator at w3c.org because of a misplaced noscript tag. - I wouldn't expect that to crash a browser.
Must be a WebCore bug. Kind of ironic given the topic.
This is a good thing. NULL is generically used to indicate that a pointer is invalid. Attempting to read or write to a NULL pointer is always a bug and should cause the application to be stopped. Writing and reading from random memory address is a sure fire way to cause interesting results. Enforcing such restrictions helps to force programmers to ensure their programs are at least less buggy in that respect.
MacOS 9 allowing location 0 read/write is a bug, not a feature. (Well... probably not, really. MacOS 9 and prior probably allowed 0 as a valid userspace location.) When a program attempts to read or write to NULL, it should be terminated, as this is an error condition. This would be like ignoring the low oil pressure light on your car - you might be able to keep running for a while, but disaster could strike further down the road.
You are in a maze of twisty little relative jumps, all alike.
After all it is using all over the in windows explorer rendering enginer.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Go to the battle.net forums, select, say, Diablo II Hardcore forum, then open several links in tabs. That pretty reliably crashes gecko for me.
It is interesting to me that we don't hear more complaints about this rather large shortcoming. You could almost say Entourage effectively cripples replacing a lot of PCs with small, reliable iMacs, since many companies depend on the groupware functionality of Exchange/Outlook. If Entourage can't provide that to the Mac users, there won't BE any enterprise mac users--or at least, any enterprise Mac users that don't also have to have a seperate PC with its inherent Windows License and extra Exchange CAL, and Office license.
Since I always use my Mom as a "Joe/Jane Average" computer user example, lets pretend her office wanted to go entirely Mac tomorrow on the desktop, but still keep their Exchange server and domain controllers running Win2k.
Their custom business apps are actually terminal sessions on a couple of unix boxes, and their ERP/Purchasing system is provided via web-interface.
They could do it, except for one freakin' problem. They "need" (psychologically, not in reality) their groupware to be MS Exchange compatible because it would be "too hard" to switch to something else. But entourage doesn't do that. So they're screwed.
Sure, they could ditch the calendaring through exchange and setup an intranet apache server with everybody's iCal calendar published to it--it would be pretty neat and not involve any more damn CALs. But the mental hurdle of non-tech users in positions of authority to jump is sooo hight--and MS knows this.
Sure, they've "announced" that it will eventually work. "Eventually". But does anybody really expect it to be flawless? Without a single, solitary, "red-headed stepchild" workaround or hack to make it work right?
Who did what now?
http://www.securityfocus.com/archive/1/319621/2003 -04-20/2003-04-26/2
Opera crashes to the point where you have to *reinstall* it so you can run it again.
All you have to do is run a very large 'news:' URL.
Is that true? Why aren't the hardware specific bits abstracted out, so that a common codebase can target arbtitrary operating systems.
Wait: the subject is Multiple Sclerosis. Never mind. Monopoly, Someone?
True enough, but who actually uses WMP on a mac when there's VLC and Mplayer? Come on, people, opensource, opensource!
By reading this you acknowledge that you have read it.
Does this bug affect Outlook? Because if it does, it's suddenly a bit more serious.
And if it doesn't, what stops anyone from "crashing hotmail" (if you get my drift...)
free the mallocs!
Try saving the original link as a text file. Browse using Windows Explorer (I know, same thing as Internet Explorer...) and attempt to rename the file. Crash-o-rama. Nice one, Microsoft. So is there any possible utility of the input type "crash"?
On later tries, "view source" worked.
Cool Beans! It sounds like kind of a "browser bitch-slap", certainly a lot more expressive than "Microsoft-Free Fridays".
Now what would be really cool is if you could program an ActiveX component for IE that would automatically install Mozilla - help the misinformed user, rather than just pissing them off.
I really don't know why anyone would use a browser that can't even get HTTP right (Hey Microsoft bozos, what do you think "Content-type" means?).
"The large print giveth, and the small print taketh away" -- "Step Right Up", Tom Waits
you mean (input type crash) except in brackets?
So, I'll say it here first and save them the trouble!
Best Buy can have you arrested
No, not all browsers have this bug and so far I can't replicate similar sounding bugs in Mozilla producing a crash and loss of work. Also, not all browsers are so widely used and not all browsers integrate code with widely used e-mail clients (Outlook and Outlook express still use the same HTML renderer that is subject to so many problems). This leads to multiple paths to sabotage someone remotely, perhaps even anonymously. Let's not forget that any application that embeds MSIE/Windows' renderer is vulnerable. Considering how many people use MSIE on MS Windows and how many of them are affected by this bug, I'd hardly call revealing the bug a "joke".
I'm not encouraging anyone to think in the false dichotomy of good vs. evil and neither should you. Nobody is helped by glossing over relevant details of how this works or ignoring the wide scope of the bug. This is one of a long string of Microsoft bugs that directly adversely affects ordinary users. We are much better served by suggesting real-world fixes (such as switching to Mozilla to do most browsing, even under a proprietary operating system). We're also better off identifying this exemplar of the practical shortcomings of proprietary software. There's no workaround here--MSIE/Windows users must simply wait for a fix from the proprietor if they won't switch browsers (and any other app adversely affected by embedding the MSIE renderer).
Digital Citizen
Get a modern system and run Windows XP. You'll be surprised at how much better it is than WinME.
umm, you do know the difference between "Home" and "Pro", don't you??
/ pr icingretail.asp
http://www.microsoft.com/windowsxp/PRO/howtobuy
I feel the same way about Debian and Mozilla. Last time I checked you could get a CD set for $8, and it comes with more text editors and spread sheets than you know what to do with. Oh yeah, it also can't be remotly exploited as easily, has no built in spys and has no demeaning click through submissions. By the same token, I feel confined, badgered and disrepected anytime I'm forced to use M$ software and it's pathetic single screen, network unaware GUI. Some people do strange things to their mom, not me.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
This is not a bug - it is more like an instruction/command. 'Crash on Command' - has a nice ring to it... I mean - if everything else is able to bring windows to its knees - the average user should be able too as well - right?
"Maybe if our users realize how easy it is to crash our software they will be more understading..." Brilliant! Those guys in Redmond just never stop innovating.
In order to beat them... we can't play by their rules. Obviously, if we did, they would kill us in seconds flat. So, we resort to "guerilla warfare" and fight them in a way that they can't defend against. In the end, the goal is the same -- "take down Microsoft and stick a red-hot poker in their eye!" The ends justify the means.
On Linux and Windows, the .text segment of the currently rybbubg program starts one page AFTER 0. the page containing the address 0 is marked no-access so that NULL pointer deferences PURPOSEFULLY crash the program. They waste 4k of memory for that feature.
Otherwise, the program would just keep going. YOu wouldn't see the crash until you attempt to write there and clobber your code.
Fuck Beta. Fuck Dice
To all my school sysadmins: "The following 5 lines of innocent HTML code will crash Internet Explorer:" That would really be priceless. "So, still want to use Windows? I've got Knoppix and Mandrake CD's if you want to try."
No, his own OS does.
(I actually don't know if your whole machine will crash hard with this, I don't have a machine to test it on, but there was a lot of buzz about it on flipcode awhile ago).
This is from here.
And finally, a non-screenshot related bug: the following neat little program, when compiled and run, will completely crash XP (and any earlier version of NT) (when I ran it, XP rebooted). I don't recommend you really try this program, but if you do, save all your work etc first:
#include <stdio.h>
int main (void) {
while (1)
printf ("\t\t\b\b\b\b\b\b");
return 0;
}
I believe Konqueror has this feature. It can either run different windows in different processes or in different threads.
And in Konqueror, you can configure this behavior. Look under Settings: Configure Konqueror: Behavior.
This is what the "minimize memory usage" section" is about. If you set it to "Always", everything runs in a single process, so it's a bit faster, but you risk losing all windows if one crashes (which they seem to rarely do).
My IE (6.0.etc) just crashed with only '', which is one (malformed - you should get a parse error for it) tag. The full version linked to by the story is 5 tags. Just like you can measure C in instructions such that 'a(); b(); c++;' is 3, you can count HTML by tags. The generic term is 'lines', regardless of formatting.
LUNIX WILL 0WN MICRO$OFT$ A$$.
begin
I'm not surprised IE can't render HTML.
High-speed Road Trip (18.000KPH)
If you dare
s moke-off-the-power-supply>
<html>
<form>
<input type format-all-harddisk-and-burn-the-monitor-out-and-
</form>
</html>
Code poet, espresso fiend, starter upper.
to come from Windows for Workgroups to XP in 10 years is pretty impressive
Yowch! I was buying that you were pro-Microsoft until I hit that part...
You can determine that some inputs will execute to completion. If you allow only the known completions, you can guarantee security from input that causes an infinite execution time.
You people are just like microsoft with your bloated code. Wasting all the extra space with unneeded characters. If there's one thing a Bleveskovolokian knows how to do it's to save an extra few bytes. Try:
<input type>
That's all. None of that unneeded crap. 12 bytes and crash!! The most efficient IE crasher web page yet. Beat that! I dare you.
Well, the man page at least:
n ux .html
http://monster-island.org/tinashumor/humor/ieli
Actually, I think its a bug in
All you have to is to spam this company with this small HTML one-liner. Outlook is set to preview on most desktops. So the hapless users' Outlook would crash and could not be brought back: If you start it again, it would try to preview the offending message again and CRASH.
That would seriously hamper the operations of a company, and if that company is, say, a Wall Street broker, the financial losses could amount to millions.
So IT support people should really demonstrate this vulnerability to the clueless PHBs who insist on putting Outlook on their company's desktops. Maybe they'd stop being so foolishly blind to MS-induced security risks if, say, THEIR Outlook crashes and burns...
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
5.50.4134.0600
Type address
about:<input type crash>
and watch IE go up in smoke
IEXPLORE caused an invalid page fault in
module SHLWAPI.DLL at 016f:70bd1d1e.
Registers:
EAX=00000001 CS=016f EIP=70bd1d1e EFLGS=00010202
EBX=01b9bf20 SS=0177 ESP=0279fa00 EBP=0279fa10
ECX=0279fa18 DS=0177 ESI=00000000 FS=138f
EDX=70d4b0a8 ES=0177 EDI=00000000 GS=0000
Bytes at CS:EIP:
0f b7 06 46 46 83 f8 41 7c 05 83 f8 5a 7e 1d 0f
Stack dump:
70e7f5b0 70e4e2e2 00000000 70d4b0a8 00000034 70c93150 00000000 00000034 01ba6148 01b9b1d0 01b9bf20 01ba6148 01ba6148 70c9300b 00000034 01ba6148
Dreams, dreams, don't doubt dreams, dreaming children's dreaming dreams. Sailor Moon SS
Would an HTML e-mail with in it crash Outlook or Outlook Express?
Word 97 is not immune
Nope. Doesn't crash anymore.
That one iss fixed in XP sp1 and W2K sp3.
I always wondered why IE crashed so often. This is really informative -- I'll try to keep from using IE to render HTML in the future.
Here's a neat trick:
1. Open regedit.
2. Locate the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
3.Add a string key called "crash" with the value "http://vibrantlogic.com/new.html".
4. Start IE.
5. Type "about:crash" into location bar.
I'm not sure what characters are allowed in the key name, but using "/." was allowed, for "about:/.".
Somebody get that guy an ambulance!
On IE6 (6.0.2800.1106) the address history and content history were cleared.
Anyway! This *may* or may not be open to exploit, however, this behaviour should have been submitted to Microsoft first. This is just a typical "OMG! OMG! I FOUND A BUG!"
Well, you live and you learn.
Funny thing is, it's not compliant HTML and Konqueror rendered it. I don't know if that's good or bad. :)
"It's here, but no one wants it." - The Sugar Speaker
now you know why ACs don't get mod points
it's saturday!
It wor
Try this one:
http://www.clarodigital.com.br/
Go to the little message bar, type in any message long enough to make the scrollbar appear (it won't), and then backspace a few times.
Ladies and gentleman, you have a crash.
It crashes every single version of Mozilla so far, including the current 1.4a. Naturally, with Javascript enabled.
I send them feedback from the feedback agent every new version that comes out. Here's hoping that they'll at least stop it from crashing whenever they get to it.
Replies to spam will never reach the spammer.
Just sayin'...
...where to apply force to get someone to fix it...
Does Microsoft use Microsoft products that HTML render? I would think so.
So. Show them the importance of the bug and write to your favorite MS execs and tell them via HTML e-mail that there's this funny little snippit of code that you have so graciously included below that crashes IE.
You know a browser is pretty sad when only 5 lines of code (or how ever many you want to call it) will crash it! But Opera 7.1 didnt even flinch...
> Even simpler:
> for(;;){window.open('');}
This hangs Mozilla 1.3 on Linux here.
Does this hang Mozilla 1.4 alpha?
Does anyone have a Bugzilla reference?
This might be fun to track down and fix,
an option open to all Mozilla users but
probably few Internet Explorer users.
If I put canola oil in my gas tank, my car dies, too... It's not Ford's fault that they didn't account for someone not knowing how to fill their gas tank, is it? Maybe it shouldn't crash, but it's not MS' fault that someone wrote incorrect code, either.
Before I put my steel toed Bates combat boots in your throat and accidentally drop my TiBook.
It looks to me like the hang caused by this:
i d=101276
for(;;){}
has been fixed, according to this bug entry:
http://bugzilla.mozilla.org/show_bug.cgi?
So, maybe the fix will make it into Mozilla 1.4final.
The fact that it's "input type crash" that does it reminds me of Apple's OpenFirmware prompt. If you type "crash" at the prompt on an iMac, the computer locks up hard, not even responding to the power button.
Win dain a lotica, en vai tu ri silota
I can't beleave this Micro$oft people, I have XP Professional with IE 6.0.26 and crashes too. I thought this kind of so evident IE problems where over after version 4.
It's not the "crash" keyword that causes it to crash, but any input where type is not defined.
But the bulletproofing has to go somewhere. If the library developer leaves it out, but makes sure the application developer know that it's missing, most people (not all!) would say he done his job. But if the application developer simply ignores the whole issue and assumes that bad input will "never happen", he's criminally negligent.
Uh, you guys do document when your libraries are supposed to fail, don't you?
just use opera for windows...best of both worlds
It's a C++ problem. One of these days, IE will be written in VB.NET or C#, and problems like these (as well as those that don't cause a crash but cause a security vulnerability) won't happen nearly as often.
Amazing magic tricks
I once heard a Java developer quip that the Windows BSOD was obviously a feature. How else to reclaim all those memory leaks?!
Hey, this is to stupid to be a bug, this is an easter egg. Apparently a programmer was really pissed off (-:.
IE just crashes cause it has nothing better to do. Bottom line, if you want reliability use lynx, if you want unreliable bloat use IE.
Except is plainly says "XP Home" in his message, after which you went and showed him the price for XP Professional. Did you read your own URL? It's $99 (upgrade from any Windows version released in the last 5 years) according to the CORRECT URL: found here. Sheesh.
mcox.com - Useful Information re: IT, Running, Fitness, Finance, or Ann Arbor!
Is that effected? imagine if people start spamming that content...
I agree entirely that it is bad if an end-user application falls over inappropriately. I just disagreed with your generalisation, because not all software that's written is an end-user app. In some cases, your design goals don't include, or outright conflict with, complete error checking.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
This doesn't crash Konqueror either.
that's not a bug
that's a wabbit
It shuts down IE faster then the X at the top right of the window...
Business News and Resources: www.usasource.net
I posted that bug on a forum and was told this:
"The "fatal bug" you are referencing is a well known, widely used, snippet of test code. I've used it many times to test error handling routines in products that use shlwapi.dll. The purpose of it is to cause a crash."
Shouldn't a widely known "test code" be avoidable by browser writers?
The semicolon is from Slashdot breaking your & g t ; apart, to ensure that it properly line wraps.
They still insist that breaking apart &blah; tags is not a bug.
I am unamerican, and proud of it!
It will not render a form, or even format as htm. So my guess is that its IE poison is specific to the wierd htm rendering done by Microsoft for IE5 and up. Can anybody guess why IE5
and up renders htm so wierdly? Couldn't be that its part of
Well fortunately htm is not a patented file format, like
Don't worry even if it would nuke outlook then the world would would not come to an end.
OH THE SHAME I fell off the wagon and use sigs again!
...as it seems that [this] is the Microsoft Crash mounth [sic]...
Isn't every month MS crash month?
-twb
Doh! My bad. IE still pukes with an end table tag though.
I should have mentioned that your company's product is a prime example of a library that has a good excuse for not being bulletproof. Math APIs are often used in tight loops in massive calculations. Adding failsafe logic may only degrade a call slightly, but when that call gets made a gazillion times, even a tiny loss of performance can get expensive.
On the other hand, the application itself had better be damned careful that the loop is executing valid data. Imagine the expense of a hours-long supercomputer run having to be repeated because the program crashed halfway through.
Or here's a nasty example: you're an artillery dude in the Iraqi desert and in the heat of the moment you type an invalid map grid into your laptop. It's OK for the program to reject your input (though making it difficult to impossible to enter invalid grids is better). It is not OK to just crash the program, and maybe force our GI to reboot the laptop -- assuming he lives that long.
That last example is directed less at Anonymous Brave Guy than at all the idiots who responded to my original post with assertions to the effect of, "we shouldn't have to make sure our product doesn't crash if the user does something stupid." That's a criminally arrogant attitude.
This does not crash Internet Explorer for Mac OS X.
HTML is just a document format, not a programming language.
Too many have called themselves "web programmers" when all they know is how to create HTML documents. The dotcom hype tolerated that, but in today's world HTML does not a programmer make.
---------
There is inferior bacteria on the interior of your posterior.
As for the whole library discussion, that is a different animal all together and I totally agree that it can often be desirable for libraries to crash and/or not check their inputs for validity, esp. if it is expensive to do so. Some libraries can decide to check their inputs, and in general these types of functions in these libraries are considered more 'developer friendly' but this type of decision must be made on a case-by-case basis when designing a library.
Since you can't fix the product (IE), you fix it before it comes there. Kinda like how a virus scanner is Windows' replacement for a "nobody" account, the e-mail scanner is a fix for Outlook and like Privoxy filters out Nimda code before it ever hits my web browser.
In short, if Norton can make that syntax checking a valuable add-on, people will buy it. If the software being protected (that should have a much easier time fixing it) doesn't want to exploit that business opportunity, Norton will. Capitalism at work.
Live today, because you never know what tomorrow brings
The original posting should have been ammended, not to imply that almost and copy of IE on any OS, it only applies to WinXP.
There was an unknown error in the submission.
Opera: I can crash that browser in 7 lines
IE: I can crash that browser in 5 lines
Opera: I can crash that browser in 1 line
IE: Opera, crash that browser!
Opera: types in exploit code w/o carriage returns.
IE: Doh!
Doesn't sound like a very useful compiler. Programmers, being more or less human, make mistakes coding their input. It's stupid to assert that they just need to be more careful. Aside from simple human error (Sorry Dave!), programmers can misunderstand the language definition. Indeed, they have a hard time learning the language without a robust compiler to play with. I don't think you can call a compiler "robust" if its only error message is "segmentation fault"!
but now I can't read my own mail.
Learn some HTML entities! < = <, > = >
Most IE exploits involve Java or ActiveX.
You have an anal fixation.
hello world
I did a little poking. It seems that perhaps any attribute without a value (ie., just a keyword, no =blah) will result in a crash. Try this all by its self:
<p align>
Boom.
Also crashes.
Finally, software that does what it's told!
This could really put Microsoft sales in trouble. For example.. can you imagine an email virus that first sent itself out and then displayed this simple html. It would crash tons of peoples email clients and a bet a lot of people would switch.
;-)
Or maybe they'd all go out and buy macs
Remember, the halting problem refers to a general algorithm for detecting whether a program finishes. No one ever said that you couldn't write a program to detect infinite loops with some specific archecture.
The WinXP core will actually detect potential infinite loops in device driver code and alert the user. An older version of the GeForce MX driver had such a problem. It used to frustrate me to no end with Win2K--I had no idea what was making the computer freeze.
Then I put XP on and the next time it happened, the computer froze for a second or two and then popped up a BSOD alerting me that it detected an infinite loop in the nVidia driver. Sure, I still had to reboot, but at least this time I knew what to fix.
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
OK, if that's your frame of reference, I don't have such a problem with the statement.
Exactly. :-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
That >50 million installations of outlook will crash on startup monday morning?
Oh joy...
Steve (Balmer),
As you know:
The first step was to give away IE free with every computer and corner the market. The second step was to make code that will only run on IE. The final step will be to have IE only render code that other browsers won't.
This is a foretaste of that plan and could wreck everything.
-Bill (Gates)
OK, since we're friends now: you guys need a tech writer?
Did any of you notice that the icon for this article is actually the IE icon for OSX?
here it is
Sorry, but I think our support guys might be a tad upset if we took you on and so made one of them redundant!
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Obviously the moderators missed the point of this comment. This comment states that MS should allow their beta testers to have the source code so they can more fully test the software. It is not flamebait or redundant, it is a valid point.
Any version of Windows (3.11 should be cheap by now, as is 95, etc.)
Microsoft no longer makes IE for Windows 3.11 or for Windows 95. Almost all older versions of IE are vulnerable to arbitrary-code exploits and will not be patched against them.
Mac OS
Which requires a hardware key from Apple that's not available new to the general public for under $1000.
Solaris
Which requires an even more expensive hardware key from Sun.
Linux might be next
Got any documentation to corroborate the rumor of an authorized port of Microsoft Internet Explorer to the GNU/Linux operating environment?
Will I retire or break 10K?
I'm on Windows2000, all latest updates installed, no active desktop, and every bit of explorer crashes: every window, even if it isnt displaying a web page.
-- 'The' Lord and Master Bitman On High, Master Of All
If that crashes it... would "" fix windows?
You're right, it does crash IE on a Wintel platform.
I now have a great piece of html to add to mod_rewrite for those people trying to link to images or mpegs on my web server.
Thanks, dude!
(this is going to be sooooo cool!!!!)
this shall now be my procmail autoresponse to filter all those annoying unwanted emails. just reply with those html tags and outlook will crash on their computer. ha!
my blog
this alone yields the same result (in IE 6.0.2800.1106.xpsp1.020828-1920, at least):
<table border="1">
<tr>
<td style="position: fixed;"></td><td></td>
</tr>
</table>
it looks like the table border must be >0, but only because the crash actually occurs when you mouse-over (any part of) the border, not the cell itself. weird.
But what do you do if your algorithm is O(n) but the algorithm to check it will terminate with a reasonable result on bad input is O(n^3)?
Terminate the process if it has gone ten times as long as it should based on an initial estimate of the O(n) execution time.
Will I retire or break 10K?
Not sure if others have also noticed what I discovered -- I copied the file new.htm with "dreaded" five lines on my local file system (Win2K box) and tried to select this file through my File Explorer. The Explorer crashed, along with Norton AntiVirus and a number of other programs usually shown in lower right corner !!
I went to the website & it didn't crash my Mozilla browser!?!?!
Must suck to use IE...
I was typing while under sudden duress. Fosttjrs@@@
I was all better, thanks.
Fuck Beta. Fuck Dice
Right after I posted that comment I tried to explain to someone the virtues of virtual memory -> physical memory mapping; including the whole "don't allocate 'till you see a page fault on it" thing. He agreed it was quite clever.
Fuck Beta. Fuck Dice
I know people who have been programming in C for over a decade who think that a null pointer is always a zero. Can you name a common computer architecture where null isn't zero?
There are some really obscure architectures where null pointers aren't zero, but even in those cases well-written code will usually work just fine; the standard specifies that a zero value assigned to any pointer or cast to any pointer type takes on the value of the appropriate null pointer. Furthermore, a null pointer value converted to a _Bool is always false, so the expected thing happens when a null pointer value appears in a conditional context. Finally, when a function prototype exists, an implicit conversion "as if by assignment" (the words are from the standard) occurs. So you might say that the standard goes out of its way to make ignorance of null pointers relatively harmless in otherwise well-written code.
As -//Zoze//DTD CrashIE 6.0//EN*, no less ;)
* Charset is set in the Content-Type header, so you'll need to make the validator grab it itself rather than upload using a form or so (so no Ctrl-Alt-V for you Opera users). Zoze comes from the domain name I first saw this on (zoze.co.uk).
the funny thing is that I've tried it on outlook epxress (crashed) but since that i can't start outlook. it just crashes on start. i deleted my inbox, all my outlook files, my ie cache, everything. it just chokes and dies. good to know :)
What would happen if I e-mailed this code to users of a certain brain-dead email client?
That's the sort of thing that the Mozilla team could easily request others to do for them. They could have a little discussion regarding good approaches for generating the test cases, maybe even build a downloadable test framework, then they could split up the tests, and have lots of volunteers running the test cases to see what crashed.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
> > ...this bug is not that serious, if you use IE correctly ;-)
;P
> What? You mean there's a correct way to use IE?!? Why didn't
> you tell us earlier!? Oh, wait. You've just misunderstood
> the meaning of the word 'correct'...
The correct way to use IE is as a downloader for Mozilla/Opera/lynx/links/Konqueror4cygwin on newly installed Windows boxes.
-JC
The Mozilla team could create a test app that could be downloaded. The team would come up with a large problem space of sequences of HTML tags, markup, attribute values (negative numbers, zeroes, missing, mIXed case, etc.). There could be some exhaustive testing of certain combinations, and random testing of others (where the state space is too large).
Volunteers could then download the test app, it would go to the Mozilla site with identifying info about the platform it was on, it would grab the next test set, run it, and report back to Mozilla HQ.
I also can't help thinking that this illustrates (for the billionth time) a fundamental weakness in the C programming language. Surely a language could be designed that would have very clever memory management (perhaps keywords for instructing the compiler which of several memory mgt. options you prefer in a fine-grained way), yielding 99% of C's performance while protecting memory by default (with perhaps manual overrides). Yes, I know C *can* be written this way, just as plain C can be used for home-brewed OOP, but everything about the language makes it unlikely that anyone will.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
Nonsense. Support people love me. I make their jobs easier. They always have more calls than they can handle. The hard part is convincing management that good docs are worth the expense.
http://www.cogsci.ed.ac.uk/~richard/billion-laughs .xml
Don't try it unless you really want to.
Only one person decided to report a problem with redirurl to me (thanks).
I have decided to disable the cgi program, that you post as an example of the boards-killer (http://www.klaban.torun.pl/prog/redirurl/)
BTW: IE has hundrets bugs, and hundrets would be found in the future. IE bugs should be corrected by Microsoft.
Problems with redirurl:
1. it was placed on the web for public use
2. it does not check if the URL is proper URL, and it does not escape HTML entities on the "warning" page
ad. 1. it was a mistake
ad. 2. it is just a simple redirector, that has been made just for hidding Referrer.
Referrer is logged to local web logs, but is unknown to the target web server.
I doubt anyone will ever read this comment, but I have reported this bug, and the reply was as follows:
Thank you for reporting this issue to us. This code seems to cause an error
in Internet Explorer module ShlwApi.DLL. The problem here is that "crash"
is an invalid text for the html syntax:
I've reported this issue to our Internet Explorer team. While I could not
provide an exact date for a fix release, the issue is now being pursued by
our Development group. Fortunately, the , as an invalid
HTML sentence, will not appear in a normal web page.
That's not funny. What's funny in a crashing program? Geezus get an hold of yourself.
- Marco
But Opera on Mac? It's gross and horrible compared to Safari or Camino or even Mozilla. It crashes frequently, doesn't render well, and overall I'd choose {shudder} IE on Mac over Opera on Mac.
Any others think this way?
John 17:20