HTML Rendering Crashes IE

SlimySlimy writes "According to this article on Secunia, a new IE exploit was found that crashes almost any version of Internet Explorer past 4.0 with just 5 lines of plain HTML code (no JavaScript, ActiveX, etc.). If you're very brave, you can test/crash your IE by going here." There's also a note on SecurityFocus.

OS X IE Is Unaffected

[WiseWeasel]

It seems that IE 5.x on MacOS X is not affected by this. Not that it's such a big deal, I imagine any affected Windows versions of IE can be relaunched and people will just avoid going to places with such code. I fail to see the significance. Oh well, glad to see their Mac port is more stable in this regard.

Re:OS X IE Is Unaffected

[Zan+Zu+from+Eridu]

Seems to me like the people at securityfocus missed something: what would happen if someone where to put up a page that changes IEs default startup url to about:<input type about> or something like that?

Re:Phoenix

[thesadjester]

Well, just to note, the Mac OS X version of IE did NOT crash. However, anyone using IE on mac when Camino, Mozilla, and Safari are well put together should have their head examined. Don't forget Opera too.

The bug seems to be Windows only....so the Mac coders at MS may be better coders...who knows.

Re:Damnit!

[antoy]

Not only did THIS version of IE crash, but the others I had open did too!

It crashed only a single IE window on my pc. I run IE 6.0 on XP with all the updates, but maybe it has something to do with the 'Open folder windows in separate processes' option I have enabled.
It's not a serious vulnerability, but it sure is a very embarassing one :)

Does it have to be ``type crash?''

[mgrant]

Does it have to be ``type crash?'' Why would ``crash'' be hardcoded into any library? It is just the lack of the ``='' that's doing it? I'd try it myself, but I don't own a copy if IE. Can anyone confirm?

bah

[chadamir]

people are up in arms over this because it's an ms blunder. It does nothing more than simply halt your browser. As many can testify, halted browsers happen with any of the many browser flavors available.

I heard someone suggest they hire better testers? How was anyone supposed to test for this. I know this is /. and trolling about MS is ok, but I mean come on, how could anyone see that coming.

The fact remains though that this crash isn't really that big of a deal. Sure it crashes IE, but it's not like most content webpages want their reader's browsers crashing when they reach the page. Who do we have to worry about? HTML enabled web boards? I have to worry about someone linking c:\con\con as an image everytime I click a link. You just go on with your life. If they are stupid enough to have html enabled then it's their problem, not MS's.

Re:bah

It's not MS's job to ensure that this happens (regardless of their own spotty record of producing HTML).

Right, it *is* MS' job though to create good software, software should function and terminate properly.

Sorry, it's just not that big of a deal.

It's not a big deal at all, indeed. It is sloppy programming though.

Re:bah

[ch-chuck]

I heard someone suggest they hire better testers?

It's an old, perfectly legal, tradition of software: the paying licensees are the testers. I just crashed IE and XP automatically sent in a bug report.

I just love the simplicity of it, kinda like the early vesions of NT where you could just telnet to port 139, type a few random characters and hang up, then watch CPU utilization stay at 100% untill reboot.

Hah! I've got something that will crash IE also..

[[PF]+Lurch]

Ran into this while doing some website design, simplified the problem down to this. Note, the green background is just so you can see the cell a little better.

<html>
<head>
<style>
.header
{
position: fixed;
background-color: green;
}
</style>
</head>

<body>
<table border=1>
<tr>
<td class="header">sdf</td><td>sdfsdfsdf</td>
</tr>
</body>
</html>

You have to mouseover the table cells and you will get a gpf. Should work on IE 5.5 and 6.0.

note: there is a bogus semicolon after the /td when I preview this post... it shouldn't be there, but I can't get rid of it.

It's not a bug....

[yeoua]

There were some NES games (and i think even some SNES games) in the past that had various codes and such (like the famous Konami code), and some games even had a reset code. This basically just reset the game by giving a specific key sequence (usually just hold every button down) and boom, the game resets with out you needing to walk up to the console.

Perhaps the ms ie engineers were just too lazy to hit the x button on ie so they developed this nifty little "feature" to make restarting ie that much easier. How?

Simple... make an htm doc on the desktop, put in these 5 lines, make it your homepage (obviously this prevents loading ie to begin with, but you can just load some other page first) and since home can be gotten to with some keypresses, this means it can be bound to the mouse buttons in some of the newer models.

And there you have it. Instant ie restarting from your mouse! You don't have to waste time clicking the x and then double clicking the ie icon. Genius!

(BTW, perhaps ms can be /.'d through too many users sending in bug reports?)

what happens?

[scubacuda]

Does anyone actually *know* what happens when you submit these errors to Microsoft?

Pretty simple bug really

[JanusFury]

If you skip over the assembly instruction that causes the exception in a debugger, everything works fine. So if anyone pulls this trick on you, just open the debugger and skip the instruction. :) That, or get a better browser.

Re:Phoenix

so the Mac coders at MS may be better coders...who knows.

No, this is actually well known. IE for Mac got way ahead of IE for Windows, so the group coding the Mac version was dissolved a few years back to slow down development.

Bill! Get it together, Bill!

[fm6]

The ease with which Microsoft software manages to generate invalid pointers has bothered me for a long time. But for the web brower to crash in the face of such a god damned simple HTML error is just plain scary. Here's the entire web page:

<html>
<form>
<input type crash>
</form>
</html>

I mean, does anybody in Redmond do any QA work at all? Or are they all too busy writing white papers, fighting lawsuits, and babbling about "freedom to innovate"?

Light-weight alright ;o)

[maharg]

The error is invalid page fault in shlwapi.dll

DLL Name: Shell Light-weight Utility
Library Description: Contains utility functions for handling paths, urls, strings, registry entries and color settings

Interesting that this dll can also 'handle' registry entries....

In fact, the 5 lines of html can be reduced down to one:

<input type>

..although placing this in the middle of a page doesn't always work:

<html>
<head>
<title>foo</title>
</head>
<body>
<h1>foo</h1>
<input type>
</body>
</html>

type seems to be the only attribute that has the desired effect

Re:Microsoft...bleh.

[theVicar]

It does surprise me... I mean, 'input type crash' ?? or is the input type significant or just for emphasis? It seems like what with 1-6, 8, and 9 of 9, plus all those eager-beaver interns and million typing monkeys at Microsoft this would have been caught earlier, unless the 'crash' thing was put there on purpose to intentionally cause a segfault or something so people could see what happens with all the activex controls etc. when IE does crash, and somebody forgot to remove it. Or, is Slashdot in permanent April Fool mode now? I hope so.

Hmm..

[chibiyoukai]

I haven't decided which is worse... The fact that such a silly bug exists, or the fact that it went undetected for six years.

Crash

[Hobobo]

A crash bug? Mozilla has none of those, right? Right? (seriously, if anything Microsoft should be proud that one pointless crash bug is such a big deal)

An infinite loop is not a bug in the application

[Rares+Marian]

It's a bug in the document.

What happens I guess is:

1. You move the mouse outside the body to an image or off window.
2. That blurs it.
3. It wants focus, but the mouse is off the window.

Somewhere javascript is point to self, so it runs focus, but the mouse is not on an object with any relation to javascript.

This one may just be on the boundary between what is and what isn't.

Write a worm....

[clambake]

Write a worm that sets everyone's home-page to this... so very evil.

I just found what to auto answer to all my spam...

[ArcticCelt]

"This HTML also crash Outlook" Sweet, I just found what to auto answer to all my spam. Of course with a subject line that says: I am very interested to buy your products.

Re:mozilla crashes too

[arvindn]

Even simpler:

<script> for(;;){window.open('');} </script>

Just tried with mozilla 1.2.1: froze.

OTOH:

<script> for(;;){} </script>

If I do this a dialog pops up saying: "A script on this page is trying to screw you. Do you want to kill it?" (not in those words though :)

Re:Users look like kids on slashdot

Unix has had hundreds of buffer overflows in "small places" written "in a very simple way" that any coder "should be able to catch". It still took decades before an effort was even made to identify them, and we're still finding them now, despite the many man-years of auditing. Face it, no-one writes perfect code every time, not even Knuth, and most of us aren't even half way to his rigo(u)r.

If you can identify all the bugs "that any coder should be able to catch" in every line of Linux kernel and GNU support code, so nothing ever goes wrong ever again on my system, I will personally pay you a full-time wage to do it. And so would Microsoft if you wished to do it for them. So, ready to convince us that you can debug the most complex consumer software?

Re:Wonder if that works deeper in a page

[goph]

actually it could indeed...

just putting "about:<input type crash>" in the url bar already worked...

which is just 1 line

Why wasn't this discovered earlier?

[JustKidding]

I mean, hurds of people must have mistyped the input type tag at one point or another, how come we never heard of this before?

You guys are all on crack

[Old+Wolf]

Am I the only one who has noticed that this is obviously some debugging? They would have used such an instruction to test the crash recovery stuff, make sure data isn't corrupted during crashes, etc. etc. etc.

It doesn't qualify as 'exploit' or 'bug'. It's not a security risk. It's not even a problem. IE crashes all the time anyway, you just re-start it (or you can even have it restart automatically) and you're back where you were (before clicking the link, presumably).

Although this gives me an idea... what if you managed to set someone's default URL to this? Might take them a while to find out what's going on.

Security Audits

[aking137]

If someone has left this around since 4.0, why haven't all these security audits Microsoft claim to be doing haven't found that out yet? Are we still to believe that they actually spent a whole month in early 2002 just rooting out security holes, when they didn't notice this? Or is someone going to try and say that they /did/ notice it and then deliberately didn't fix it, on the grounds that it's just a bug and maybe not technically a security hole? Come on, really...

Andrew

Re:mozilla crashes too

[metalpet]

That's actuallly a good point.
Everybody who has spent any time developing web pages has learnt that bad (and sometimes even good) html can crash browsers.

Are we *that* confident in the maturity of our web browsers that causing a browser crash is nowadays considered a serious issue?

Before jumping the gun on parsing errors that kill the app, it might be smart to go over design errors first (scripts that keeps on going and that bypass the simple "lengthy script" checks are a good example. recursive frameset tricks would qualify too.). I've yet to see a full-featured browser that doesn't choke and/or die when presented with the right mix of recursion, active content and wickedness.

<tidbit type=outdated>
Netscape 3 had a neat crash code:
<script>delete new Location</script>
The neat part about it is that 2 of those 3 words were undocumented.
Of course any attempt to pass that as a security concern back then would have been laughed at. loudly.
I'm not sure what has fundamentally changed since then.
</tidbit>

Whoa! This is worst than I thought.

This does not just effect IE, it also appears to effect apps using the IE html rendering engine including Outlook Express and Frontpage.

Try sending someone the crash code as an html e-mail. It crashed Outlook before even previewing. SHIT.

I sincerely hope anti-virus software blocks this one soon.

This could turn into a new email worm

[juniorkindergarten]

I just pasted the code into mozilla mail and emailed my outlook express 6 client and it caused it to crash. (Go figure)
I haven't tried outlook 2000 yet. Anyone want to give it a shot?

Outlook Express affected

[kh0ng]

Outlook Express uses the IE-Rendering Engine, so...

One HTML-Message posted in a Newsgroup and containing the line "<input type>" (Shortest form of the exploit...12 bytes to crash IE) will kill all Outlook Expresses who try to read it (remember that OE _always_ displays the HTML-Version of the post), leaving the users puzzled and perhaps "insightful +5"...

Re:Phoenix

[Alorelith]

I tried it in Netcaptor which is based on Internet Explorer--the page opened and the error message popped up, but Netcaptor kept on chugging. It's really a great browser. Offtopic, but when is Mozilla/Firebird going to incorporate something similar to Captorgroups. And don't even mention that multiple bookmarks on startup, that's not the same thing. Captorgroups are much more versatile.

Re:Wonder if that works deeper in a page

[dattaway]

Does this work as a ">link?

If it does, I can imagine many people posting malicious links in blogs everywhere by the end of the day.

Careful with those emails!

I just sent a HTML email with this in to a friend who runs Outlook 2000. As soon as he got it, it crashed Outlook. Funny thing is every time he starts Outlook up it crashes again so he can't rmeove it. Disables his email program with one crafted email!

Re:Two points of significance for crashes.

[Zaiff+Urgulbunger]

Re potential for Outlook crashing, I'm not going to try this but if an outlook user receives an email containing this HTML then as soon as they view the email, Outlook crashes right?

But the email would still be in their Inbox... so the next time they start outlook... oh just rememebered, Outlook Express (not sure about the full Office Outlook version) will not display an email after a crash.

Worrying though!

Crashes desktop in auto-preview!!!

Just for grins, I saved the file, and now can't delete it (without mucking around) due to the fact that the whole desktop crashes while IE tries to render the little thumbnail of the page in Exploder. And no--I don't have active desktop enabled.

Fun for the whole family!

no prob with Konqueror

[The+Tyro]

it shook it off just fine.

Mail-A-Crash

Things becomes interesting with these lines from SecurityFocus.com..

"This HTML also crash Outlook, Frontpage, and all the Microsoft programs that use the shlwapi.dll library to render web code."

..so basically you can push a remote crash message to users of Outlook. All they have to do is look at your message, and the program crashes? Anybody got sacked and wanted to get back at their company, this could provide an opportunity to do that.. ..just email all users in the company directory.

Re:Inquirer says one line

[craigeyb]

Not to be overly trollish here, but you could also squish poetry onto one long line or a big novel onto one really huge page, like something in Guinness's Book of World Records I suppose.

The point is, we use line counts in computer languages, even though most computer languages can be spaced out in numerous ways, because it provides a good rough estimate of length and complexity. It's not always the best metric, but oftentimes it serves its purpose well. In this case, the typical slashdot reader can see that the exploit is only "five lines" and realize that it's not a overly complicated HTML parser exploit but instead something ridiculously simple.

Re:Very big deal

What about HTML-enabled messages in Outlook etc?
What if somebody sends a SPAM with it? It is not virus, but anyway...

Re:Crashing != bug

[NickFitz]

You don't need to idiot-proof it, you just need to make sure it doesn't behave ungracefully when assaulted by an idiot.

It's impossible to do that. Turing demonstrated that it is not possible to determine whether any given algorithm will execute to completion for all possible inputs. As the library in question is a mathematical one, it will undoubtedly contain algorithms which will not complete for some input or inputs, and all the bounds-checking in the world cannot guarantee security from input which will cause an infinite execution time. If it was possible, it would be a solution to the Turing machine halting problem, and such a thing cannot be, by definition.

Re:mozilla crashes too

[Wastl]

Since when does any script on a normal website need to run more than a few seconds without halting?

Can you guarantee that? I had a student who was using JavaScript in an editor written in dynamic HTML to traverse the HTML DOM tree in Mozilla and reconstruct information out of it to form an XML document. The program takes several seconds even on relatively small documents. Where would you put a reasonable timeout?

Sebastian

Re:NULL pointers and error handling

[Krach42]

OS1-9 used a non-protected memory model. There was no virtualized memory, because every application worked in the same memory space. And actually, this is nearly the same way that Win9x worked. Thus, the recommendation from Microsoft to reboot the entire system if a program crashed in 9x.

It's not just input.

I did a little poking. It seems that perhaps any attribute without a value (ie., just a keyword, no =blah) will result in a crash. Try this all by its self:

<p align>

Boom.

way to fight spam

[sewagemaster]

this shall now be my procmail autoresponse to filter all those annoying unwanted emails. just reply with those html tags and outlook will crash on their computer. ha!