Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTML Rendering Crashes IE

Posted by michael on from the tough-job dept.

SlimySlimy writes "According to this article on Secunia, a new IE exploit was found that crashes almost any version of Internet Explorer past 4.0 with just 5 lines of plain HTML code (no JavaScript, ActiveX, etc.). If you're very brave, you can test/crash your IE by going here." There's also a note on SecurityFocus.

8 of 887 comments (clear)

  1. OS X IE Is Unaffected by WiseWeasel · · Score: 5, Interesting

    It seems that IE 5.x on MacOS X is not affected by this. Not that it's such a big deal, I imagine any affected Windows versions of IE can be relaunched and people will just avoid going to places with such code. I fail to see the significance. Oh well, glad to see their Mac port is more stable in this regard.

    --
    "I like systems, their application excepted", George Sand (French)
  2. Re:Phoenix by thesadjester · · Score: 5, Interesting

    Well, just to note, the Mac OS X version of IE did NOT crash. However, anyone using IE on mac when Camino, Mozilla, and Safari are well put together should have their head examined. Don't forget Opera too.

    The bug seems to be Windows only....so the Mac coders at MS may be better coders...who knows.

    --
    -gabe
  3. bah by chadamir · · Score: 5, Interesting

    people are up in arms over this because it's an ms blunder. It does nothing more than simply halt your browser. As many can testify, halted browsers happen with any of the many browser flavors available.

    I heard someone suggest they hire better testers? How was anyone supposed to test for this. I know this is /. and trolling about MS is ok, but I mean come on, how could anyone see that coming.

    The fact remains though that this crash isn't really that big of a deal. Sure it crashes IE, but it's not like most content webpages want their reader's browsers crashing when they reach the page. Who do we have to worry about? HTML enabled web boards? I have to worry about someone linking c:\con\con as an image everytime I click a link. You just go on with your life. If they are stupid enough to have html enabled then it's their problem, not MS's.

    --
    NJ Local Music Scene
  4. Hah! I've got something that will crash IE also.. by [PF]+Lurch · · Score: 5, Interesting
    Ran into this while doing some website design, simplified the problem down to this. Note, the green background is just so you can see the cell a little better.



    <html>
    <head>
    <style>
    .header
    {
    position: fixed;
    background-color: green;
    }
    </style>
    </head>

    <body>
    <table border=1>
    <tr>
    <td class="header">sdf</td><td>sdfsdfsdf</td>
    </tr>
    </body>
    </html>

    You have to mouseover the table cells and you will get a gpf. Should work on IE 5.5 and 6.0.

    note: there is a bogus semicolon after the /td when I preview this post... it shouldn't be there, but I can't get rid of it.

  5. I just found what to auto answer to all my spam... by ArcticCelt · · Score: 5, Interesting

    "This HTML also crash Outlook" Sweet, I just found what to auto answer to all my spam. Of course with a subject line that says: I am very interested to buy your products.

    --

    Yahh, hiii haaaaa! -Major Kong, from Dr. Strangelove
  6. Re:mozilla crashes too by arvindn · · Score: 5, Interesting
    Even simpler:

    <script> for(;;){window.open('');} </script>

    Just tried with mozilla 1.2.1: froze.

    OTOH:

    <script> for(;;){} </script>

    If I do this a dialog pops up saying: "A script on this page is trying to screw you. Do you want to kill it?" (not in those words though :)

  7. Re:mozilla crashes too by metalpet · · Score: 5, Interesting

    That's actuallly a good point.
    Everybody who has spent any time developing web pages has learnt that bad (and sometimes even good) html can crash browsers.

    Are we *that* confident in the maturity of our web browsers that causing a browser crash is nowadays considered a serious issue?

    Before jumping the gun on parsing errors that kill the app, it might be smart to go over design errors first (scripts that keeps on going and that bypass the simple "lengthy script" checks are a good example. recursive frameset tricks would qualify too.). I've yet to see a full-featured browser that doesn't choke and/or die when presented with the right mix of recursion, active content and wickedness.

    <tidbit type=outdated>
    Netscape 3 had a neat crash code:
    <script>delete new Location</script>
    The neat part about it is that 2 of those 3 words were undocumented.
    Of course any attempt to pass that as a security concern back then would have been laughed at. loudly.
    I'm not sure what has fundamentally changed since then.
    </tidbit>

  8. Careful with those emails! by Anonymous Coward · · Score: 5, Interesting

    I just sent a HTML email with this in to a friend who runs Outlook 2000. As soon as he got it, it crashed Outlook. Funny thing is every time he starts Outlook up it crashes again so he can't rmeove it. Disables his email program with one crafted email!