Slashdot Mirror
IE Shines On Broken Code
mschaef writes "While reading Larry Osterman'a blog (He's a long time Microsoftie, having worked on products dating back to DOS 4.0), I ran across this BugTraq entry on web browser security. Basically, the story is that Michael Zalewski started feeding randomly malformed HTML into Microsoft Internet Explorer, Mozilla, Opera, Lynx, and Links and watching what happened. Bottom line: 'All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer references, memory corruption, buffer overflows, sometimes memory exhaustion; taking several minutes on average to encounter a tag they couldn't parse.' If you want to try this at home, he's also provided the tools he used in the BugTraq entry."
Since it may not be obvious to all readers, be aware that when you can make a program crash by feeding it bad data, you can typically further manipulate the data you are sending it to take control of the program. That means a security hole. This is how buffer-overruns work. You can't always do it, but you can think of each way you can crash a program as a little "crack" in its exterior. If you can figure out a way to pry apart the crack, you've got yourself a hole.
.NET languages, rather than programming in straight C like the others) which as a side effect prevented such problems.
So many of these "bugs" in Mozilla, Opera, Lynx, and Links are likely security holes as well.
It is interesting, then, to see that Internet Explorer did so well on this, with its notoriously bad history on security. My first instinct would be that the HTML parsing engine in Internet Explorer was written by a different team of programmers than worked on the rest of the software, and they used proper programming techniques (such as RAII in C++, or perhaps used one of their
Let's hope that all these bugs are taken care of in the other browsers quickly before the black hats find ways to make use of them.
It's hard for thee to kick against the pricks.
There's a good phrase I can use to explain this one:
If you work in a monkey house, you expect to be pelted with shit.
I'd love to read the article, but the page seems to contain malformed HTML...
However, my Mozilla passed the test without crashing. :-P
Money for nothing, pix for free
While it's all very interesting, the fact is, if this is a valid problem then you can be sure that all the freebie browsers (moz etc) will just fix it and issue an update. No biggie
They didn't say that IE also started randomly installing Bonzi Buddy et al during the test, the users' credit card numbers were automagically emailed to Romania, there was an sudden increase in outbound port 25 traffic from the system, and they ended the session with about 37 momre toolbars installed then they started with.
Does the fact that most of the browsers crash mean that they are vunerable in some way? or does the fact that they do crash a good thing?
It's quite known that broken code runs quite well on IE.
Great, but then it also encourages people to write bad code - see all that code with broken tables and a million tags that remain unclosed?
Thank webmasters (if they can be called that) who tested their code solely on IE for that.
And lately, writing bad HTML has become the norm rather than exception.
So what? I have never had a problem with my Firefox crashing (ever). Sure, if you try to make something crash, it eventually will. Considering how much security holes IE has, IE could be the missing link, and I still wouldnt use it.
Aparently, XPSP2 (including the new IE) was recompiled with the latest visual studio and with all the options turned on to better catch issues.
Without looking at it more closely my first reaction is, well for his values of "random" this might be true. But random is a horribly abused term in computer science. First of all it was no doubt arbitrary within certain ranges rather than random. Then, we need to look at why he chose those ranges.
... the broken app is the king!
...a benchmark that actually measures real-world performance.
I read it to mean that IE only excels as a web browser if your metric is "amount of broken code it contains". Which made a lot more sense.
With such a powerful parsing engine you would thing IE could parse web standards a little better.
Steal This Sig
Sounds like a "here comes the science" article to me. I find the information in the article lacking since no mention is made of what version of IE is being used to conduct these tests.
I suspect that the mozilla developers will be busy using this same tool to vigorously debug their application...
*shrugs*
So, if you feed IE random crap it doesn't crash? Too bad when you feed it stuff you'd like it to crash on (auto execution of malicous code, etc, it works just fine...)
When all is said and done, I still feel 100% safer surfing the web with some Gecko deriviative...
Yes Francis, the world has gone crazy.
OK, IE is the king of malformed HTML. It can take all the sh*t in the world and still run. Good job coding the parser.
But what about valid code? What about standard code?
I'd rather have full XHTML 1.1 support and abstrain from visiting sites made by monkeys with typewriters , or by Frontpage authors, than have an uncrashable parser for a browser who chocked on the proper XHTML content type.
I don't know if they still use it, but the Linux kernel developers used to use a program called "crashme" to help test kernel stability. Essentially, it generated random code and tried to execute it. Something like this for web browsers would make for a very useful procedure. Generate the code, throw it at the browser and log the code if it crashed the browser.
Of course IE can handle broken html. That's what Microsoft Frontpage produces. They have to be able to handle their own product.
As x approaches total apathy I couldn't care less.
Nothing crashed. I got blank pages, all the weird HTML and all, but no errors and nothing crashed. w00t.
This being Slashdot, I had to RTFA to see in what sense IE was shining. (Shining us on = pulling our legs, con job.)
One line blog. I hear that they're called Twitters now.
It encourages web authors to make pages that don't work in other (standards-compliant) browsers. But even MS is getting a bit tired of this, because (1) there are now plenty of pages that don't work even with IE (I encounter them all the time at work), and (2) all the error correction code helps to keep IE bloated and slow.
When will it shine on working code?
Konqueror has a neat bug symbol on the lower right corner when displaying buhhy html code.
I think this is a nice feature.
I wish that konqueror would have been tested. It's a good browser.
He starts sending bad data...data the program wasn't intended to read...it crashes...and this make them just as bad as IE? I tried to cat a binary once. My screen shat.
Other browsers have an insistence on adherence to standards that, although admirable in a compiler, is nonsense in a browser. Bad HTML will always be part of life, and a browser that can't make guesses about what bad tags mean is like a TV that crashes if it gets a noisy signal.
Too many people writing user-facing software seem to think that if the input isn't in the format they expect, they can just forget about it. Not true: your job isn't to handle some kind of platonic ideal input, your job is to write programs that work in the real world. Making smart guesses about bad input will always be necessary.
While I must admit that this is a great technique that can be employed by the various alternative browser vendors such as the firefox team to weed out problems. With its track record I find it rather dubious that the guy was unable to crash IE. Im willing to bet there are a couple of people here on Slashdot who know a few tricks that will crash IE with nothing more than a couple of lines of code. Which would enevitabley point to a flaw in his system. If anything at all this highlights IE's highly forgiving HTML parsing.
Electronic Music Made Using Linux http://soundcloud.com/polyp
Larry Osterman is about to demonstrate one of the great values of open source. He's identified a set of malformed HTML and within a few days/weeks someone will have fixed it.
If this were a closed source / Microsoft browser, then there would have to be a complete release cycle before a non-security issue is resolved.
All software has defects, it is the access to the code that allows someone to rapidly fix issues that sets open source apart.
Microsoft can afford a purify license.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
...after it crashes does it hand the keys over to a malicious outsider or does it just stop working?
On my older [less mem, win2k] machine I could get Mozilla 1.5 throug 1.7 to hang by just visiting a lot of pages without using the BACK key. But the mozzie browsers don't have all those hooks into the OS that make backdoor control schemes possible. Mozzie failure modes would make for nuisance DOS, not subjigation of your system. If you accept the results claimed in the blog then its clear that MS did a better job of putting "containment" around their rendering context but the long list of vulnerabilities against IE also means MS has been too feature-happy or naive to avoid control hooks between the container and the OS.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
I like the idea that my browser (Firefox) may crash upon finding bad code that could be used to infiltrate my system. This is just another call for web monkeys to write standard html with the browsers to only parsing to said standards, therefore assigning things brought up by this study to history.
This also could be part of the intergration that Microsoft keeps harping on about. The error checking on the html is so good that it can only come from inside the OS*.
* Apologies if this is wrong, I know nothing about OS and Browser coding, and is based on wild speculation only
Assuming this MSFT guy is not lying...
Yes it's a slap in the face. But seriously this is what OSS is supposed to be about. Full public disclosure. If he did find scores of DoS related bugs then the OSS crowd [who like to show their names when the attention getting is good] ought to pay attention and fix the problems.
You can't gloat how open and progressive you are if you scowl and fight every possible negative bit of news.
And "mentioning how bad MSIE is" is not a way to make your product any better [just like "he's not bush" isn't a bonus for Kerry].
So shape up, take it in stride and get to the board.
Oh and while you're at it make Mozilla less bloatware. 30MB of tar.bz2 source could be your first problem....
Tom
Someday, I'll have a real sig.
Catch is, IE did not crash; the machine crashed. So, technically, it's not an IE crash... ;-)
None of the samples in http://lcamtuf.coredump.cx/mangleme/gallery/ was able to crash Konqueror from KDE CVS Head. Heheh time to praise Khtml developers again!
Never learn by your mistakes, if you do you may never dare to try again
RTFA. Larry didn't find the broken HTML, he just referenced an article which did.
I saw something like this (not quite, but similar) a few years ago working with Java Script.
I wasn't that experienced with it, and as a result, certain pieces of my code were syntactically incorrect. Specifically, I was using the wrong characters for array indexing; I think I was using "()" instead of "[]". I would never have known there was even a problem if I hadn't been doing side by side testing with IE and Mozilla. A page that rendered correctly in IE would always show errors in Mozilla. This made absolutely no sense to me.
It wasn't until I viewed the source generated by each browser that I discovered the problem. IE was dynamically rewriting my JavaScript, replacing the incorrect delimiters with the correct ones, whereas Mozilla was simply taking my buggy code at face value.
It causes no issues with Safari...
1.) a browser should defiitly not crash when it is fed malformed html.
2.) crashes due to buffer overflow ARE security issues, since they allow you to insert malicious code.
if it was IE that crashed and not mozz, i bet you would have shouted that microsoft made crappy software.
now i am waiting for you to shout that mozilla is crappy software...
(crow disperses, mumbling that that is something totally different.)
I now know where the person who was the previous owner is working now. At Microsoft.
The same person tells us that Apache sucks when compared with IIS. Does this mean we've all been wrong about Microsoft products? If we take Microsofts word for it we have indeed and should seriously consider switching back to IIS. After all, [THE FOLLOWING IS SARCASM:] this conclusively proves that IIS is far superior to the Linux Apache Mysql Perl/Python/Php system.
[signature]
way back whend =18827 8
https://bugzilla.mozilla.org/show_bug.cgi?i
(have to copy/paste that url since bugzilla blocks slashdot refer's)
You don't need to know html to write pages for it ;-)
Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.
MSIE passed that problem already. They had that famous bug of which was an invalid NULL pointer. It seems instead of fixing this single bug, they gave a good overhaul to the whole code, fixing all vulnerable places and getting MSIE to swallow any malformed tags.
From what I've seen on Bugzilla, I haven't seen Mozilla to have any similar problems. Malformed tags cause misrendering, break pages etc but don't crash it. Or at least, didn't until now. It's just time for Mozilla people to do to Mozilla exactly what Microsoft people did to MSIE.
(about Opera, I'm not surprised. The shortcuts they've taken in DOM to make it "the fastest browser" are more than dangerous...)
Anagram("United States of America") == "Dine out, taste a Mac, fries"
His only criterion is whether the browser crashes or not. Somehow, it disturbs me more that IE doesn't crash; what precisely is the effect of the bad code then?
I agree that these are all potential security holes, yet the article author mistakenly correlates crashing with vulnerability.
What if IE is similarly vulnerable yet simply doesn't crash?
From that point of view, at least crashing is an indication that sometihng is not right.
All the same, I consider it a good beginning.
Blearf. Blearf, I say.
The point is that someone else could craft a page that makes your browser crash.
Which would be annoying enough - but some of these crashes have the potential to become 'arbitary code execution' flaws.
Having said that - yes, these flaws are less serious than many others - and will likely be fixed quite quickly in the open source browsers.
For information - I was unable to make my version of Opera (v5.12) crash on the sample 'opera-die' page - but it did render some of the random pages incredibly slowly and would probably run out of memory on a properly crafted one.
so, did he REALLY find many bugs, or did he find just a couple bugs that
manifest themselves with many variations of html that really are doing
essentially the same thing?
So IE is better at handling junk.
Nothing new here...
i cant seem to come up with a sig.
I may be a little paranoid (heck, I actually am) but I've long suspected the IE support for loose HTML was a strategic decision. Go back to the days when Netscape would render a page with a unclosed table tag as blank. IE rendered the page, and I often encountered sites that didn't work on Netscape.
It could be a coincidence, but the loose HTML support of IE led to a situation where some webmasters conclude that Netscape had poor HTML support. You can argue about standards all day long, but if one browser renders and another crashes or comes up blank there isn't much of a contest.
-- Solaris Central - http://w
I just tested his CGI using FireFox 1.0PR. I reloaded it 50 times, and the browser never crashed.
;)
Maybe his testing skills aren't that up to date? (From viewing the source, it is obvious that his html skills are lacking)
I just spent 5 minutes here refreshing the garbage generator, and other than the odd security exception thrown when it tries to access my hard drive, I find absolutely nothing wrong with Mozilla. Memory usage has been nearly constant, and it's not crashed once. Perhaps the testing computer was using an ancient version of Mozilla, or Windows was running too long without a reboot?
Honestly, I'm not seeing the issue here, other than a Microsoft guy throwing around some FUD.
Anyone else notice that the slashdot IE icon is from the OSX version of Internet Exporer?
One wonders whether this indicates an emphasis on a "test case" driven development process, as opposed to a "functional spec" driven process. Certainly there must be a design rule that says "never crash, assume something and drive on".
Upon reflection, I don't recall ever seeing an error message from ANY browser telling me that a particular web page it is attempting to parse is fubar'd beyond hope, they all just drive on as best they can.
This is particularly highlighted in XHTML pages, where there is an abundance of structural features (strict closing of tag sets, for one) that enable detection of broken code. I don't recall (disclaimer for failing memory) ever seeing a message indicating that the page's code was broken, browsers just muddle through, producing erroneous displays and hoping the result is "good enough".
Perhaps if the browsers reported web page syntax errors -- something blunt (but not crude), like "the web page you are attempting to display is broken and is not properly displayed" in a large translucent block font over the rendered result -- the web would be a more syntactically correct place.
It would have to be something simple enough that Joe User wouldn't reformat his hard drive and reinstall the system upon seeing it, and blunt enough to motivate web content producers to make better code.
I think it was in Netscape 4.7.something on the Mac. If you did:
;)
netscape = true
It would crash the browser and the OS! So much for my browser detection code
Firefox has fast developement, they'll fix this in a month, meanwhile the IE css box model has been broken for the last 5 years, and they still don't have a pop-up blocker built in. I've noticed a few Firefox crashes that sound like this so hopefully its gonna be fixed very soon. I might sound biased against Microsoft, but actually i've been learning C# and loving it! Microsoft are hardcore, they just concentrate on business more than software sometimes, and as a budding young student, close to graduation with plenty of debt whos just totally sold-out i can respect that.
This comment does not represent the views or opinions of the user.
. . . we're talking about MS windows platform. Only.
Once had a script that renderd a bunch of large tables (It was a report) - Had the end-table in the wrong spot that made the page look like it had 1000's of nested tables... IE when rendering the page would eat up TONS of RAM and eventualy ither crash or lock up the system......
You just never know..
http://lcamtuf.coredump.cx/mangleme/gallery/
I opened all the pages in tabs in Firefox 0.10.1 under Windows 2000, and Firefox did not crash. It became somewhat unresponsive, but I could still select other tabs, minimise and maximise. I could not load new pages anymore.
Can someone else test this as well, please?
And can someone tell us whether this has security implications or not?
Shouldn't this random input be part of standard testing for any application?
I use it all the time for testing my PalmOS project: the PalmOS emulator has a "Gremlins" mode that throws random events at your application constantly. My basic rule is that if it survives 300,000 events without crashing, there should be no major problems.
Of course it won't catch functional bugs, but it's an incredible tool for catching unchecked inputs, memory leaks and similar problems.
Take a second to compare IE's track record for security/stability when compared to Firefox/Mozilla. Also consider that the vast majority of the serious bugs in Moz have been fixed within *hours*. What has MS' response been to several critical vulnerabilities in IE: "Um.... we may get around to fixing it" or "No, we're never fixing that".
Compare this to: "Oh, X has a security bug.... therefore publisher(X) makes crappy software".
Next?
"It is a good divine that follows his own instructions" - Portia, The Merchant of Venice
Pfft, bullshit. Security QA? Riiiiight.
My wife switched to the Fox over a year ago(well, it was called something different then...) because IE was too crash-prone. I didn't tell her to, she asked me if there was something else she could use. That is only one example of someone switching because of stability, I personally know several folks at work who did the same. I haven't used SP2, so I don't know if it's better there, I'm sure it is. But to conclude that IE went through more vigorous security QA is absolutely laughable.
OTOH, this does highlight serious problems with other browsers. OTOH2.0, there are a number of crash bugs in Moz that are known and aren't considered security vulnerabilities, so I wonder if any of the crashers the author found are the same.
Anyway, interesting article with ridiculous conclusions, however some very much needed good PR for IE ;D
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Opera 7.54 on Mandrake loads taht cgi "lite" live demo page succesfully and while refreshing shows random junk. no crashes and no slowdowns.
Ugh. Not the best written Slashdot entry.
:-)
Larry Osterman -- former Microsoft guy; someone forwarded him a post to Bugtraq.
Michael Zalewski -- absurdly brilliant security engineer out of Poland. Did the pioneering work on visualizing randomness of network stacks, passively identifying operating systems on networks, and way way more.
Nothing bad against Larry. But this is all Zalewski
--Dan
You can check this web that hangs your Internet Explorer. It doesn't matter which version, the page is years old and still works...
The entry refrences this, which just spits out bad HTML from the tools he wrote. I'v been reloading
it _MANY_ times now in firefox 0.10, but havn't seen any crash yet.
Anyone crashed anything on the above link ?
Nevermind using random garbage to crash a browser, you can make IE6 crash with perfectly valid strict HTML.
Try this page in IE6 and then hover your pointer over the link. Crash!!!
Replicating the experiment on mozilla on linux (repeatedly refreshing the url: http://lcamtuf.coredump.cx/mangleme/mangle.cgi) causes NO CRASHES
I think there may be some FUD here...
Case in point.
Last week I wrote some Perl to process an mbox mail folder. I just wanted a quick and dirty way to view its contents in a web page. A couple of CPAN modules and a few dozen lines of code and thing was done. Then I started to get fancy and dealing with stuff like embedded MIME-encoded GIF images. This was pretty simple to do, but I made a mistake. Once I had the decoded GIF data lying around, I wrote it to the HTML file of the current e-mail message, rather than writing it to a seperate file and writting <img src="foo.gif"> in the HTML file.
I was viewing the results with Firefox 0.10.1. When it got to a message with an embedded GIF, with a big slodge of GIF binary data sitting in the middle of the page, Firefox either just sat there spinning its hourglass, or crashed and burned.
Then I looked at the same file with IE, and the GIF image showed up. I was puzzled for a while until I noticed that in the directory where I had created the file, no GIF files had been created. It is of course arguable that IE should not have attempted to render the GIF image from the binary data sitting in the middle of the page, but it did so without complaint. Not rendering it would also be acceptable.
Firefox, on the other hand, has a number of better alternatives to crashing or hanging. Should it display gibberish (like when you forget to set up your bz2 association correctly) or nothing, or the image? I don't know, and don't particularly care about which course of action is taken. Anything is better than crashing, especially when IE doesn't.
Anyway, I fixed the Perl code, and all is well.
The End
Let's see... it came up with:
...and I'm having a hard time finding anything else. I remember seeing a few before, but I can't find them, and I really should be doing homework right now. CyberArmy used to have a crash page, but I can't find that either. Oh well... but they do exist.
http://www.geoapps.com/ie6crash.shtml: Image exploit that does something to mozilla, but nothing serious
-ReK
md5sum -c reality.md5
reality: FAILED
md5sum: WARNING: 1 of 1 computed checksum did NOT match
Huh? Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10.1 No crashes here. I must not be lucky.
Tell me, Mr. Anderson, what good is a browser when you are unable to access the net?
While it's great that IE can handle 'bad' web code, it really is a seperate issue from security. Now, when the other browsers actually *crash*, this is a concern. Yes crashes *can* be used to determine an exploit, but that doesn't mean they *do*.
To beat the dead horse of the car analogy, if my car doesn't start, it may be the entire electrical system, or maybe my battery is just dead. The moral is don't try to make a mountain out of a mole hill.
Meanwhile, I absolutely despise the fact that IE does handle a lot of 'bad' code. This is a side effect of the IE monopoly on the browsing world. We're not talking about it handling variables that arent declared before they are used or sumsuch. We're talking about code which *should* be causing errors. Since they don't cause errors most of the time (or are hidden from the user) and most web authors only test with IE, there is a massive amount of bad code on the net which is never fixed.
Now I'm glad that the author has found these crashing bugs in the other browsers. This obviously needs fixing, and I'm glad IE is at least stable when it encounters malformed code, but more error reporting needs to be done to the user on all browsers.
Summary:Good review, brings up great points, kudo's to MS for stability. Now everyone go back to work on your browsers and add blatant *THIS WEBSITE AUTHOR DOES NOT WRITE PROPER CODE* dialogs to all your error messages. It's the web author's fault, it's time we told them so.
-- I have fans? Wow.
Sure, the others crash and IE doesn't. But the difference is that IE exposes security holes through accepting malformed input. I would rather have my browser crash then have it allow a hacker to take my machine.
Test if your code is good or not at http://validator.w3.org/
Evolution or ID?
Mozilla shines on broken code too!
What was this story suposed to prove? Oh! You mean browsers running on Windows crash. But they are supposed to crash on Windows. Windows has only one browser.
When you run his tests with Mozilla on Linux it has no problems with the code.
Strange story guys
realkiwi
No trying to brush the issue aside, as this is potentially a big test for the Mozilla project, but considering FF hasn't even reached 1.0 surely some bugs are to be expected.
Don'tcha just love null pointers
what about random (and malicious) javascript?
as for the html "problem" that's why xhtml was created, so that code has to be perfect or it doesn't render. trying to render bad html is always a bad idea because there are endless ways to make mistakes.
This just in - a formal testing procedure helps reduce bugs.
In this world nothing is certain but death, taxes and flawed car analogies.
Bloated, perhaps? But Mozilla's memory footprint is a lot bigger in Win2K/XP than IE6 or IE5.5.
/. I'll defend this (rare) pro-MS comment by stating that I have Mozilla installed on all my machines and use it for all my Internet browsing. Development and company intranet, that's where I use IE.
Slow? No way! a) IE still renders things quicker than Mozilla, and b) IE itself loads a LOT quicker than Mozilla. I've been using Mozilla for well over a year constantly. c) executing Java applets happens a lot quicker with IE as well.
And because this is
These kind of tools make a hacker proud :-).
Simple, effective means of testing program to find bugs. I'm certainly sold on using this kind of program to test my code. Of course it's only the tip of the iceberg; similar tests should exist for css, javascript, images, http, ftp, etc. etc. etc.
--Eamon
... and given the notion that it also works in Linux, one would be tempted to conclude that all this is a MS Windows issue, NOT a browser issue. :-P
Arduenn of the Black Forest, http://arduenn.ma.cx/
Basically, the story is that Michael Zalewski started feeding randomly malformed HTML into Microsoft Internet Explorer, Mozilla, Opera, Lynx, and Links and watching what happened. Bottom line: 'All browsers but Microsoft Internet Explorer kept crashing on a regular basis
That's great! Now I can finally read all those randomly malformed sites I've been bookmarking lately.
A couple of seconds work would have shown that it is complete bullshit.
I have trouble with some of the "Linux is God" articles but crap like this really should have been let go through to the keeper.
Unfortunately, handling the test cases provided with the post doesn't mean it's ok. Browsers were run with randomly generated test cases, and the article says that usually a hundred or so tests were required to cause a crash. The probability of a poorly written browser crashing on any given case is low.
The chances of any single test case being problematic are low, so passing the cases provided doesn't mean Safari is safe. If someone downloaded the cgi that automatically generated tests and left Safari with that for a few hours without crashes, we could then say that it lacks the flaws that Mozilla and Opera have.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
.. is so that elitist, insecure, and petty nerds like you can feel "superior" by producing "compliant" scripts on "alternate" browsers.
If you're so clever, show us some examples of your excellent HTML "code". Moron. You probably create your pages with Fireworks or Imageready, like most people out there.
Who gives a damn. Web pages are there to display information. Hell, most of my texts on the web, are exactly that: ASCII TEXT FILES. All browsers display them even though they don't have any of the HTML tags.
At the end of the day, it doesn't matter. What matters, can the user view the info? Is the server secure? Is the server up 100% of the time? Is the database available? Is the network reliable? Can the user perform their job?
Join the real life.
I just downloaded and ran his test suite against Firefox 1.0PR.
Everything looks fine to me. No crashes. I also ran it against his CGI and the "die" gallery in the tarball. No problems, though it did stop for a few seconds a few times.
Now, he does mention that sometimes the crashes are due to memory exhaustion. I've got the suite running right now on another tab of the browser I'm typing in, and the memory usage is going up, but only very slowly; I think it's due to the logging in the JavaScript console that's happening due to the bad JavaScript that's running over there. After 15 minutes of constant reloading, it's up from 39 to 44 megs. So maybe if you reloaded bad JavaScript constantly for a couple of days, you might eventually run out of memory. Certainly if there's a memory leak, it should be fixed, but IMHO that's not a security hole, while crashing indicates the possibility of one.
You meant to say IT: Windows OS shines on broken code
Using Safari 1.2.3 (v125.9) and all is fine. Tried the online version of the tester and just got a blank page (with crazy source). No crash, no hang, no problems as far as I can tell.
Score one to the kool aid.
of DOS executable image header fame ?
Michal Zalewski
[alk]
... and here's why.
With correct data (in this case, HTML), there is a specified action that is "correct". In other words, a correctly marked up table will get layed out, according to the W3C rules for laying out tables. A paragraph will get formatted as a a paragraph, etc.
With malformed markup, the "correct" thing to do is indeterminate. If every browser just takes its best guess, they will all diverge, and the behavior is wildly unpredictable. Even from version to version of the same browser, the "best guess" will change.
"So? You've just described the web!" Well, exactly, but it could have been avoided. Bad markup shouldn't render. It ain't rocket science to do (or generate, though that can be a harder problem) correct markup. If you had do it to get your pages viewed, you would. Ultimately, it wouldn't cost anymore, and would actually cost less (measure twice, cut once).
Of course, what I just wrote only really applies in a heterogenous environment ... which MS doesn't want ... fault tolerance in your own little fiefdom can make sense.
FYI http://bugzilla.mozilla.org/show_bug.cgi?id=265027 (copy/paste, Bugzilla doesnt like /. links)
How come this guy felt it was more appropriate to post this to a widely-read security mailing list than to submit a bug to Bugzilla? Complaining about QA to a group of security experts doesn't improve the product. That's what's great about the Mozilla Foundation, and Open Source in general. Don't just complain "Waah, it's broken", file a bug!
Luckily, someone did it for him: Bug 264944. I can't link from here, but if you visit http://bugzilla.mozilla.org/ and put the bug number in the little search field, you can see it for yourself.
"Why does this tedious MS bashing get modded insightful."
Because in light of the article, the Linux girls need to reassure themselves that MS is substandard and bad and anything not MS is good. They need alot of reassurance, those Linux girls. Hold them and whisper to them that IE has had many security problems in the past. That will make them feel better.
I tried this script on both Mozilla firefox at least 40 X now, and it hasn't crashed yet...
You'll also notice none of this random code tests activex security either, or many of the MS extensions which "enchance" security either.. So I think the tests should be taken more with a grain of salt.. Also while he did say null dereferences, its potentially due to all the same 1 or two flaws, and may not be exploitable at all..
Take this with a grain of salt I'd say, because when you check the tags being tested, there aren't a great amount..
Almost everytime I click on an article, what appears on screen makes me feel like I am loading broken layout code into my browser, resulting in multiple clicks of the Reload button.
However, the same code works fine in Internet Explorer, every time.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
He should have randomly fed STABLE code into each of the browsers and saw IE continue to freeze and hang while the other browsers continued to present real data to the end user ;) Sure IE may not suck for bad code, but I like to look at real code with real information and I know that IE hasn't quite figured that one out yet ;)
You create your own reality - Leave mine to me.
Processor power is cheap compared to engineer salaries. If you aren't prepared to take the hit for an "if(foo)" conditional, then be prepared to pay for my time in finding the flaw in your code.
If you were blocking sigs, you wouldn't have to read this.
Perhaps the compiler and Memory Manager is such as to automatically discourage the software to do destructive buffer overflows?
I've noticed in the past that with writing flaky software in windows you can just ignore many memory related errors and continue with execution... or at least this is more common practice. In most cases this is justified IMHO.
HTML is out there, and millions of malformed pages exist. Most of this is a result of mistakes by authors, but some of it is a result of the moving target that HTML has presented in the past. /. story is also about how various browsers, including the saintly Firefox, can be made to *crash* given certain input. Just thought that should get a mention :)
While your argument is attractive in principal, in practice it's misguided. The horse has bolted. in 2004, no-one would use a browser that didnt work with a huge proportion of the web's content. This is an area where pragmatism is required.
And to respond to the ubiquitous MS-bash, let's step back and remind ourselves that this
(And BTW, I speak as a Firefox user)
IE isn't the only thing that accepts sloppy code. Currently taking a SQL Server 2000 class and Query Analyzer let's you create queries with out ending semicolons and with out regards to case sensitivity of the field names. I was amazed at the sloppy SQL I could send it.granted, you make a actual mistake in the syntax like a bad select it would not work, but if you jusr had say a capital H instead of a lower case h in a field where the name of the field showed as a lowercase h and it would work. Case sensitivity is there for a reason. I guess it could be the specific collation I set up the server with, but it shoudl have never accepted a select without a semicolon at the end. Plus don't get me started on why it was bad for Microsoft trying to improve SQL by adding their own things to there varient of SQL, T-SQL. Of course, Oracle and others have doen the same thing. It would be so nice for SQL to just work from one server to another.
Gorkman
I wonder what happens when I try the output on the w3c validator.
So can those people who have tested his code write
PS: I'm here at work on Mac OS 9 and all browsers are pretty old, so I don't write anything...
I don't need a signature.
I downloaded the tool and started looking in the files. The first file is the Makefile. Here I noticed some confusion between globing and regular expressions. The expression core.[1-9][0-9]* would make a lot of sense if it was a regular expression. But shell expansion does usually not use regular expressions but rather globing, which is slightly less powerful. That means make clean does not remove a file named core.9, but does OTOH remove a file named core.10abc. Of course he is not the first person to make that mistake, and it is easy to miss when testing.
Do you care about the security of your wireless mouse?
But handling it sufficiently well that you don't crash would be a good thing?
Cheers,
Roger
Do you have any better hostages?
I've once managed to kill my Windows XP by similiar experiment. I've wrote a simple ASPX that generated randomly damaged WMFs and displayed them in browser doing reload afterwards. I don't know how well WMF problems were fixed after several WMF-related vulnerabilities are published, but the problem is that metafile data is directed right to GDI32 via PlayMetafile() and some of not-so-checked data even manages to get through to kernel-level win32k.sys. EMF has similiar problems. During these cruel experiments I've caused IE to crash many times, and after 30 mins of testing i've got BSOD. I've rebooted Windows, and it didn't find it's registry ... :( NTFS was severely damaged, and unfortunatelly the corresponding "test case" (broken wmf) was lost...
A tool like this would let the average wanna be contributer find a reproducable bugs and try to fix them. Which brings me to my dumb question: Is the Mozilla gecko engine more easily built/tested than the whole of Firefox? I love FF, and wouldn't mind throwing some cycles at improving it, but the entire build process is a bit more than I really want to take on... If I could just build and unit-test the failing component I'd be more likely to try.
Anyone have pointers beyond the hacking section at MozillaZine?
My guess that most of the issues are the latter two, though obviously this needs to be verified. Most things probably stem from poor error handling and edge case. It will be interesting to see if this turns up any real security holes.
This reminds me of the article some years ago about a project reported in an ACM publication to feed broken command lines to UNIX. They found numerous problems doing that.
Having done both commercial and open source software, I've not found one to be all that better than the other. Sure the best open source project is better than the worse commercial. I'm just not sure the average is that different.
You raise a nice question.
I would love to see a plugin for Firefox which enforces a "use strict" like with Perl.
When the plugin is enabled (a buildin option would have my preference, though), bad code won't be rendered at all.
Just like in the days of Mozilla prior to 1.0, before then it hardly ever rendered bad html, afterwards they focussed more on the "Website compatibility"
I'm not quite sure what this is supposed to prove. I refreshed the page a good 20 times at least, in 'Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1' and no crashing whatsoever. Could this be a Windows-only bug?
And also, about those NULL pointer references... the only ones I found were displayed in the JAVA CONSOLE and did nothing to affect the stability of the browser.
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
A person writing a 'Linux advocate article' is likely to be making extensive use of CSS in order to properly separate the document structure and style. In other words they create documents that are easier to maintain and comply with the standards.
I don't suppose most of them will cry if IE renders it slowly but I doubt that's their primary reason for doing it, although they'll certainly be aware that IE's CSS compliance sucks.
I am certain that I could be doing it wrong, but, I have not yet been able to crash my browser using his examples.
And, might I add, the pages that are "razor sharp html", are not things that one would normally see anywhere.
But, if indeed there are conditions that can be created during the viewing of malformed html-ish, input (and I use that term loosely), then I would guess that the Mozilla folks are going to be busy checking these issues out in the next few weeks.
With malformed markup, the "correct" thing to do is indeterminate.
Well, that's debatable, but one thing that's for certain is that you absolutely should not crash due to malformed data. That's bad enough in a browser that doesn't support tabs, but in a tab-capable browser it's unforgivable. That one unparsable webpage that causes the browser to crash is a serious annoyance if it takes out another dozen or so tabs in the process.
Even ignoring questions of pragmatism (raised by other respondents), at the very most the browser should display some sort of "malformed page, unable to display" error. User input (which this is essentially) should not be able to crash an application. My compiler doesn't crash because of syntax errors in my code, why should my web browser?
It's official. Most of you are morons.
sorry, that's all i got...
Could somebody explain why bad pages can make a browser crash? For what I know, if a parser is fed illegal code, it simply returns "failure in parsing" or something like that. Why should it crash?
Bad markup shouldn't render.
It shouldn't crash the browser either.
If any input, even a pathological one, can crash my program, then I need to fix my program. Always.
My Karma: ran over your Dogma
StrawberryFrog
I tried using Safari 1.2 on OSX and have had no problems. No crashes, no hangs, no problems. Loaded the test a few dozen times.
Assuming he used Mozilla, did he file a report in Bugzilla?
At least I tried these examples with Konqueror and it did not hang or crash.
I tried the mozilla ones with Mozilla 1.6 and firefox 0.9.1, and they both crashed and burned. The Opera test crashed my Opera 7.54 (opera remembers where it was, so yay).
I tried the lynx (version 2.8.5rel.1) one, and um.. well.. Linux doesn't handle programs eating memory really quickly very well. I was getting mouse lag, and my system was really unresponsive. I hit ctrl-c about a thousand times, and managed to bring up KDE system guard and kill it.. it was using like 500MB of RAM. Nasty nasty stuff.
-- The doctor said I wouldn't get so many nose bleeds if I just kept my finger out of there!
You mean Gnu/Linux/Apache/Mysql/Perl/Python/PHP system, right?
I have 3656.9 Bogomips. How many Bogomips do you have?
Are we assuming that having a program continue to run after parsing bad code is a good thing? Yes, it keeps running until someone can find a way to malform the code enough that they can take complete control over your machine.
I think I'd rather use a browser that abends.
The1Genius - Littera Scripta Manet
...because it doesn't need the .NET CLR installed to run.
I tried each of his 'die*.html files and none of them killed my browser. Most just resulted in blank pages.
I'm using Safari, on OS X (10.3.5)
I drank what? -- Socrates
HTML 4 Transitional was designed so that it wouldn't be so much work for sites to change their markup from the previous, somewhat ad-hoc standards. As a result, it includes various tags and attributes from HTML 3.2, usually to do with more visual aspects of page layout. Such features aren't present in HTML 4 Strict, where CSS is used for visual formatting (almost) throughout.
In HTML 4 Strict, how does one number an ordered list starting at 10? The value attribute of the li element (<li value="10">) is missing.
$ badhtml.o | /dev/null
hey, my script doesn't crash either, and it's only one line! of course, the caveat is that it only displays GOOD tags about as well as IE, too...
They just used
On Error Resume Next
I Encrypt My IM's
RTFA before modding this whatever...
Or does it seem rather amusing that IE, a poorly written browser with many security holes that *brilliantly* links into the OS (not), allows poor code not to crash it...
Then again... properly written code it seems to have problems with.
Oh well.. I guess that's what you get.
The price is always right if someone else is paying.
I wonder if arbitrarily rendering image code spat into the middle of a page could be used as a vulnerability? Anyone ever try this?
You're reading Slashdot. Of course you like Linux and pc hardware
Remind me not to run any or _your_ code!
:)
or => of
I hope you have reported the hang on http://bugzilla.mozilla.org . I would even mark it as security sensitive and as a possible Firefox 1.0 blocker.
It's only when people actually report these kind of problems, that they will actually get fixed. Otherwise you can still wait a long time for a fix, as it's not very likely someone else will hit this bug.
Does this affect open source browsers only on the Win32 platform? Or does it affect these same browsers under OSX, Linux, FreeBSD, etc...
I want to know if the Win32 port of the OSS browsers are at risk here.
...and what about the that he fails to mention then eh? http://www.neilturner.me.uk/2004/May/04/the_input_ type_crash_bug.html
How fitting fro a broken browser
To be secure, you really need two passes, the first to ensure that it "compiles" correctly, or probably better to partially display as it compiles correctly or correctively. I don't imagine we'll see such a slow browser though.
so much of Micorsoft's website displays blank / never finishes loading in anything other than IE.
Someone tried to say that crashes=security-hole. That is possible but doesn't follow. It is quite possible that IE's recovery system is going into wierd areas of the code in the recovery and that might be the greater security hole. What IS IE doing? If something crashes, it might be a DoS, but at least it doesn't send your password file. I don't think I've seen very many cases where these are exploitable - you can't "inject" code, merely cause a crash. Maybe the others need an exception handler?
IE has had more documented holes (and fixes). Maybe they will find more in FireFox and Mozilla as time goes by, but I doubt it. If they do I think they will be fixed more quickly since Firefox is NOT part of the OS. The monolithic design has its flaws. There is a dicipline in having to be cross-platform and by separating out the components - flaws tend to be isolated.
Netscape used to crash very often. Looks like the Mozilla people didn't learn much from it.
b id=182569">Description of Internet Explorer security zones registry entries</a>
n dows\Curr entVersion\Internet Settings\Zones\0\Flags
w s\Curre ntVersion\Internet Settings\Zones\0\Flags
Mozilla is just as sucky security-wise as the old non-mozilla Netscape (3.x 4.x). Whether it is OSS or not doesn't make it secure/insecure, it's the programmers that count. Look at Sendmail and Bind (and many other ISC software), security problems year after year for many years. Look at PHPNuke - security problems month after month for years. Look at OpenSSL and OpenSSH and Apache 2.x - not very good track records. Compare with Postfix and qmail, djbdns.
Most programmers should stick to writing their programs in languages where the equivalent of "spelling and grammar" errors don't cause execution of arbitrary attacker-code. Sure after a while some writers learn how to spell and their grammar improves but it sometimes takes years. For security you need _perfection_ in critical areas, and you need to be able to identify and isolate the critical areas _perfectly_ in your architecture.
To the ignorant people who don't get it. Crashing is bad. A crash occurs when the (browser) process write/read data from areas where it shouldn't be touching, or tries to execute code where it shouldn't be executing. This often occurs when the process somehow mistakenly executes _data_ supplied by the attacker/bug finder, or returns to addresses supplied by the attacker...
This sort of thing is what allows people to take over your browser, and screw up your data (and possibly take over your computer if you run the browser using an account with too many privileges).
So while the FireFox people get their code up to scratch maybe people should reconsider IE - IE isn't so dangerous when configured correctly. Unfortunately it's not that simple to do that.
To make even unpatched IE browsers invulnerable to 95% of the IE problems just turn off Active Scripting and ActiveX for all zones except very trusted zones which will never have malicious data. Since I don't trust Microsoft's trusted zone (XP has *.microsoft.com as trusted even though it doesn't show up in the menus), I create a custom zone and make that MY trusted zone.
By all zones I mean you must turn those stuff off for the My Computer zone as well - but that screws up Windows Explorer in the default view mode (which is unsafe anyway).
For more info read this: <a href="http://support.microsoft.com/default.aspx?k
To make the My Computer zone visible change:
(for computer wide policy)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi
To: 0x00000001
(for just a particular user)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windo
To: 0x00000001
If you don't want to edit the registry and make the My Computer zone visible, you can still control the My Computer Zone settings from the group policy editor (gpedit.msc) or the active directory policy editor.
You just have to know some Microsoft stuff. But hey, securing an OSS O/S and _keeping_ it secure (esp when u need to run lots of 3rd party software) also requires some in-depth knowledge.
Tried running the cgi script ( http://lcamtuf.coredump.cx/mangleme/mangle.cgi) numerous times on Mac OS X with Safari, FireFox and Opera and experienced no crashes whatsoever. Even Lynx do not crash.
/
So again, these security holes and flaws must be Win related (what's new...)
Interestingly the script produces the following output sometimes:
I see a bad moon rising.
I see trouble on the way.
I see earthquakes and lightnin'
I see bad times today.
Don't go 'round tonight,
It's bound to take your life.
There's a bad moon on the rise.
The page you are looking for is still somewhere around... Go and find it, if you can!
For private files archive, click here.
Clicking the link will point one to:
http://lcamtuf.coredump.cx/_private%20warez_
Which displays the following text, accompanied by an input field and a Submit button:
SECEXPERTS ARCHIVE: RESTRICTED ZONE
Enter XGB password:
Jon Postel said it best: "Be liberal in what you accept, and conservative in what you send." A web browser that crashes due to invalid HTML fails this test. Execution must stop at once... yes, but the program should handle the error. A program that crashes is the Operating System handling a program with bug. See RFC 1122 for more details about the Requirements for Internet Hosts. Section 1.2.2 about the Robustness Principle explains better than I can why you're wrong.
Admittedly, crashing isn't supposed to happen either, but I'd like to see one of these turned into an exploit before its declared an exploit. The argument that IE Buffer Overflow exploits are found and exploited in this manner doesn't mean that all program crashes are potential Buffer Overflow exploits - that's just does not follow.
It appears from other posters that the behavior depends on the OS you're running, which leads me to guess it might be an issue involving both the OS and the browser rather than just a browser issue.
Along those same lines, the security issue is going to be vastly different depending on the OS you're running the browser under. Mozilla may not provide the same security exploit under your OS as it does under Windows. Example: This bug fix (http://www.mozilla.org/security/shell.html) directed at fixing a *Windows Exploit*.
Finally, you'll not convince me Internet Explorer is a browser to use until its no longer a wide-open-gate for adware/spyware, virus and worms. Even then, I'm gonna have reservations based on IE's history.
Wanna be safe on the Internet? Use anything but IE.
My affinity for hyperbole knows no bounds
So I was running the Mangle CGI from his site:. cgi
w d.dat
http://lcamtuf.coredump.cx/mangleme/mangle
and got this weird page:
----------
I see a bad moon rising.
I see trouble on the way.
I see earthquakes and lightnin'
I see bad times today.
Don't go 'round tonight,
It's bound to take your life.
There's a bad moon on the rise.
The page you are looking for is still somewhere around... Go and find it, if you can!
For private files archive, click here.
------------
the "click here" redirects to:
http://lcamtuf.coredump.cx/_private%20warez_/
which looks like:
----------------
SECEXPERTS ARCHIVE: RESTRICTED ZONE
Enter XGB password:
----------------
of course, i dont know what the password is, so i just put in something, and it says:
---------------
SECEXPERTS ARCHIVES: ACCESS DENIED
INCORRECT XGB:21 PASSWORD!!!
Your password is not valid. Try again.
To recover your password from XGB token certificate file, please download it here and use the recovery agent. In case of any troubles, please mail me.
-----------------
The "download it here" is a link to: http://lcamtuf.coredump.cx/_private%20warez_/pass
and the "please mail me" is a link to:
mailto:lcamtuf@coredump.cx
Interesting..... Very interesting....
I sure am glad I use emacs to surf...
All's true that is mistrusted
A looong time ago I designed hardware. A young software guy was given the task of writing a diagnostic for a memory board I had designed. He spent a lot of time investigating bit patterns and data patterns that caused failures in the specific memory chips we used.
About 4 weeks after he started, he came to me and congratulated me on my marvelous design: his test had run for 2 days solid with no memory failures. Not that I have trouble taking a compliment or anything... I asked to see the test setup. I unplugged one memory chip and the test still passed.
A week later he came back and told me that now it worked. Yeah, it would detect one chip pulled in one bank but when I pulled a different chip from each bank on the memory board it only detected the first bank failure over and over again.
The point of this story is: the software engineer was only interested in whether or not the test ran. I was interested in whether or not the test actually caught errors.
Now: why in the hell did it take a Microsoftie to code up this kind of test and run it on these browsers? How did the coders of these browsers test? By just feeding each browser properly formed HTML and making sure that they rendered right? That is only 1/2 the job!
I now write embedded firmware for a living. I only spend about 1/4 of my time getting the software to do what it is supposed to do with well-formed input. I spend the other 3/4 of the time making sure that mal-formed input does not cause the code to do anything hinky!
Credit where credit is due: kudoes to Microsoft for this particular facet of their browser. And shame, shame, SHAME on the open source coders responsible for those browsers!
Wow.
Some of these code examples are just bad. Any web browser written properly would happily ignore the broken HTML, instead of crashing.
This almost makes me want to go back to IE and switch to WinXP SP2. Microsoft appears to be surpassing the FOSS crowd in terms of security, and all I see here is people jamming their heads in the sand.
Your loss.
bet not. :-) Just stop touting Firefox as the end-all-be-all of browsing. Everyone has problems. IE is just the most publicized.
Bad markup shouldn't render.
Well, here's an example of where XML is your friend. XML requires well-formedness in code; if something like an end tag is omitted, the page is not well-formed and is broken. A correctly-conforming XML parser (such as the Gecko engine) will not render the page, but will display an error message.
This doesn't absolutely prevent someone from writing an XML parser that, like HTML parsers, stumbles its way through bad code, but it is explicitly outlined in the RFCs for XML that non well-formed code should not be rendered. (And practically speaking, XML parsers really do have to honor this; by definition it would be nearly impossible to have an XML parser that rendered XML correctly if it was agnostic to well-formedness.)
Mozzie failure modes would make for nuisance DOS, not subjigation of your system.
I thought getting a DOS prompt on a remote system through the web browser was subjugation of the system.
I think a lot of people are missing the point here. I don't have time to personally verify whether the author's claims are correct; let's assume they are. The type of errors he saw are potentially the type that could be exploited via the tried-and-true buffer overflow method. This is the kind of thing that leads to "execution of arbitrary code", in other words, 0wnage. If Bad Guys craft a apecial web page, they could target those of us who use these non-IE browsers.
In other words, the people who have been defending IE (and Microsoft in general) by saying "your Mozillas and Operas have been safe from security problems only because nobody uses them" will not only have a field day, but now the clock is ticking. There's proof that there are promising means of attack against these browsers. Someone is surely going to research this. I really hope the good guys developing these browsers rise to the challenge and tighten up the code before we (the people who have been recommending them for years) start losing credibility. I'm inspired to look into helping them out.
Sorry if this seems incoherent, I keep getting interrupted as I type this. Stupid work...
Yes, it is mac only, but iCab is very very particular about using strict interpretation of HTML. It is quite amusing to see how it renders some pages.
http://www.icab.de/
I am utterly confused what brwoser to use tomorrow.
This is clearly a lot of security problems for mozilla/firefox.
Opera is also not an option since the opera_die clearly is an security breach on opera.
Lynx is an option (limiting the memory of the current session. ) but is ugly.
i.e. has a long history of security problems and that is an important issue not to use it.
Should i use one of the other browsers that is not i.e. based?
Because the complexity and importance of our web browsers continues to increase, security of those applications will never be "solved" or "fixed".
Other steps must be taken to deal with these issues. What we can do is treat the symptoms.
For those using Linux or UNIX, privilege separation (running the browser process as a user ID that has limited rights) and a chroot jail would be major steps forward.
I believe the browser projects need to work with the community to support that type of runtime configuration.. Before a big nasty vulnerability does damage.
Chroot, in particular, is very tricky.
It's common knowledge that IE is fault-tolerant. So it can render malformed code... wake we when it can finally properly render well-formed code.
It's not exactly what you wanted, but at least this HTML validator extension for Windows or this validator bookmarklet doesn't require an $800 hardware key.
Ther are no exceptions to Postel's Law.
Why is anything anything?
Well, here's an example of where XML is your friend.
Not if you're trying to maintain compatibility with the 94-percenters. XHTML doesn't work in IE. Send XHTML with the proper Content-type: application/xhtml+xml and you get a Save As... dialog box; send XHTML with text/xml and you still don't get access to the HTML DOM.
The fact that it does crash some browsers indicates that they probably are trying to run part of it as code
No, it doesn't. Not at all. For example, if I feed the program "i=i/x" the number "0" for x that program may crash. But that doesn't mean the 0 was executed as code or something.
There are many ways of crashing on bad data that don't point to this kind of security problem. In order for a malicious exploit, you need to get bad data in just the right place - in a place where the address of some legitimate code is stored, and where that address is going to be used. You then need another fairly certain location for the exploit code you can point to.
Sometimes a crash does point to a vulnerability like the above (usually do to stack return addresses). But often not. And suggesting that all crashes point to some execution of data is just wrong.
Let's not stir that bag of worms...
Ya I can see it now. IE does not crash. It just lets you in. Why crash the browser when you can surf the net and get hacked at the same time without knowing? It sounds like a multitasking feature to me!
Assembling etherkillers for fun an profit
Firefox crashes out on me once or twice a day, taking not only the page it was rendering but all the other tabs I had open with it.
Sure, perhaps malformed HTML shouldn't render. But I'd much rather it rendered than crashed the browser, which is bad.
I used to have Firefox crash and burn regularly on various webpages - linux and windows. The browser would segfault and be gone, sometimes without visible errors
Eventually I noticed it seemed to be mostly with pages having Flash content. I ended up nuking my plugins folder and reinstalling the flash/Java plugins, now it crashes a lot less.
While the article indicates it is possible to crash on bad code, you might want to check your plugins too just in case.
Open 2 separate Safari windows, and open 3 tabs in each.... load any content in all of the windows.... now, if Safari hasn't already fallen to its knees, in any tab, go to a page that contains flash. Pretty much deadlocks my system (533MHz G4 with 768Mb RAM, OSX 10.3.5).
I tested seven browsers, Safari, Mozilla, Firefox, Shiira, Camino, Omniweb and Opera (on Mac os X) - all in the clear after numerous reloads: http://mapage.noos.fr/beisser/sevenbrowsers.jpg
...I first read about it in this CACM article (v33#12, Dec 90). The authors generated random text strings and fed it into UNIX utilities, producing a variety of entertaining crashes and lockups.
"A good portion of the paper discusses common mistakes made by programmers that caused the utilities to fail..." want to bet they mention buffer overruns? (sadly, full text requires ACM membership)
now watch as all the browsers implement this, and millions of geeks around the world scream because they can no longer read slashdot.
If I don't put anything here, will anyone recognize me anymore?
Come on guys, this is so obviously propoganda. The guy spends a month trying to find a way to crash mozilla, when it took me 2 minutes on google to find a way to crash IE:
t en-things-to-do-in-cleveland-before-youre-dead/
http://www.meyerweb.com/eric/thoughts/2004/09/14/
-ben
I did much the same to test a user interface written by another programmer on a project we were assigned to. The interface wasn't a gui, it was a pure ASCII type, so I wrote a random character generator and threw the output at her interface for days at a time. Crash. Crash. Crash. It was wonderful. I don't know that it found every flaw, but I'll bet no one ever killed her interface by leaning on the keyboard (as actually happened on an earlier project I'd heard about).
I ran into similar issues with IE ignoring stuff and Mozilla catching it a few years ago when I was developing one of my first web applications with servlets. Mozilla was a great browser for testing my web apps during development. I remember I had a bug in my code that was supposed to populate a dropdown with options from a database but instead choked somewhere in the model layer and populated it with a bunch of breakspaces. Mozilla would show me the space characters in the dropdown where IE simply ignored them and pretended like the dropdown was empty.
It's a real pain in the neck for IE to not try to show what's actually there because when I first looked at the page in IE I assumed that I just wasn't getting what I wanted from the database since my dropdown was empty. In reality it wasn't empty, IE just didn't want to show me 1000 breakspaces as an option in my dropdown which is bad from a developer's standpoint. However, masking and hiding bad code and data is something that I absolutely want a browser to do when the application is out in production being used by my clients.
The bottom line is you should always develop your web applications with a browser like Mozilla that is going to catch your mistakes but once your application is out the door it's better for clients to be using a broswer that will hide any mistakes you didn't catch!
While I'm not thrilled that the browser I use seems to have some egregious problems in its parser, I feel Larry's done us (free software community) a huge service by providing us with the tools that highlight those areas that need improvement.
sloth_jr
NSCA Mosaic successfully survives all of these pages. This just shows that programmers these days Just Plain Suck, and Mozilla is the living embodyment of this.
There's no good reason that code should be vulnerable to integer or buffer overflow issues like this.
It appears that the overall quality of code, and more importantly, the
amount of QA, on various browsers touted as "secure", is not up to par
with MSIE; the type of a test I performed requires no human interaction
and involves nearly no effort. Only MSIE appears to be able to
consistently handle [*] malformed input well, suggesting this is the
only program that underwent rudimentary security QA testing with a
similar fuzz utility.
So.. maybe Microsoft code isn't so bad, after all? Let's see the spin on this from the MS-is-the-devil crowd..
I am the maverick of Slashdot
I still use IE because IT WORKS. Sadly, IE may not be the most standard compliant browser, but very few web pages are standards compilant. Firefox and mozilla and whatever are al cool, but many sites (particuarly those with non-technical submatter :-P) just do not work as intended outside of IE because they were built for IE.
http://brandonbloom.name
I have to ask:
When saying that Microsoft Internet Explorer didn't crash, does he mean that the window never went away, or that the program iexplore.exe stayed running? I can't prove it, but I suspect that the "IE" window would survive a crash of the rendering engine, because the window is actually provided by explorer.exe, which is the desktop manager.
I also suspect that several of the open source browsers could defend themselves against this kind of crash within a day or two, simply be using a two process model. Personally, I would rather they did not! (I want to see it fail, otherwise I would not know something was wrong.)
Of course, what I just wrote only really applies in a heterogenous environment
Wrong. This only applies in a homogenous environment where you can force everyone to write good HTML and force every application to ignore bad HTML. In the real world every developer and web-developer makes his choice. And it just so happens (by virtue of natural selection) that for browser-developers it makes most sense to write code that understands bad HTML. This way their product works better, users are happier and their browser enjoys the 90% market share. Microsoft is not evil (in this regard), they are just being rational.
Future Wiki -- If you don't think about the future, you cannot have one.
I wonder how much of IE's "stability" is because of good code and good parsing, and how much of it is due to the fact that IE didn't *know* it's eggs were scrambled?
It wouldn't be the first time that a program went on "running", only to *eventually* go out to lunch and not come back.
At least the others *noticed* that something was wrong - and died.
You aren't remembered for doing what is expected of you
Every sizeable project is likely to have bugs - fact of life. What's going to be really telling is seeing how long these problems take to get fixed as compared to the average MSIE exploit.
You run Internet Explorer...
I watched "Moon Child", the VCD verison, and BOTH times when Xine reached the end of the VCD, as the last of the credits rolled, the entire laptop locke up.
.9.x release, and has not normally done this on other DVDs or VCDs I've watched. Just with Moon Child, the Japanese version with English & Jpns/Chns subtitles. Periodically, after taking 10 screen snaps with Xine's camera icon, Xine would just disappear. I'd then have to stop Alsa, by running /etc/rc5.d/S17also force-restart
Nothing worked, not even ctrl+fn+someletter would work. I am an avid Lxr, and I only use win98 inside Win4Lin, but last night I even had that off, I reniced MySQL to something like +15, and at one point reniced Xine to -9 or -10 before shutting it and restarting it.
However, I was off-line, and did not even have Firestarter nor Etherape running, so my CPU is not being overloaded. I do notice, unrelated to Xine, that running Win & in X4ce starts MUCH faster (as when KDE is FRESHLY run) than currently in KDE. I imagine one of my hidden dot files or authority or temp files is trashed, or maybe something in a win4lin path is hozed. Maybe my box has been cracked weeks ago. I dunno. Have to check my logs.
However, I accept that xine is
And if Xine was alive at that point, the force-restart would kill it dead.
I know this is not exactly along the lines of browsers, but if VCDs and DVDs are being watched while a user is on-line, who knows if a batch of bad code is being fed to the userspace tools? Who knows if other compromises already on the box are aggregating to worsen things with a new breach's arrival. Fortunately, I prefer to yank my ethernet anytime I'm not surfing. I tend to yank my bband router, too, to keep its visibility low.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
The Internet can be accessed just fine (spyware, viruses, and worms aside) with a Pentium 100Mhz computer. Windows XP cannot be installed on such a machine.
"So? You've just described the web!" Well, exactly, but it could have been avoided. Bad markup shouldn't render.
This point may be "insightful", but it isn't new. It was raised by many people back in the early 90s, when the web was young. They tried to get people to avoid "the problem" of bad markup back then, too.
They failed, because the average person didn't see bad markup as a big problem. The average person trying to put up a web page didn't *care* if their page didn't match a formal specification of how a "proper" document should look. They just wanted to be able to show grandma their pictures of the new baby, or the new cat. They figured that if the computer could "figure out what they meant", that was the important thing.
When one program would do what they wanted, they said it "worked". (It let Grandma see their cat picture! Yay!). When one program didn't do what they wanted, they thought it "didn't work". They didn't know or care what the WWW consortium thought of the whole thing. Businessmen had similar, impatient thoughts, about how much time and money they were willing to spend on web page development. The faster the page went up, the better. They weren't being paid to make the WWW consortium happy.
Bad markup renders today because most people wanted bad markup to render. I think they still do. Unless that changes, technical efforts to enforce "proper" markup are going to face user acceptance challenges.
It ain't rocket science to do (or generate, though that can be a harder problem) correct markup. If you had do it to get your pages viewed, you would.
Historically speaking, neither of these points proved to be true. My Mom hasn't learned how to frame text in angle brackets, despite ten years encouragement to do so. She thinks it's hard. So do a lot of people. I know she'ld prefer a program which "just worked", over one that was "picky" about a standard she never really understood. If you make a tool too hard for people to use, they won't use it.
Ultimately, it wouldn't cost anymore, and would actually cost less (measure twice, cut once).
It would cost the end users more, and the developers less. The end users get more work, and the developers get less. The end users don't like more work. If you try to get them to do more work, you'll face an uphill battle.
Personally, I'd very much prefer it if everyone followed standards. However, I also remember the history that I've lived through, and know how unlikley that actually is.
--
AC
That's not even a very tough test. A tougher test would be to generate calls which are permuted slightly from valid ones.
Looks like all this IE suck bs is just that, bs.
grep -iw skynet
no wonder IE is so slow compared to other browsers.
This is just more proof that open source is written by amateurs. The only reason that people running firefox haven't had their day ruined by hackers is that there is essentially nobody running firefox.
If (and I doubt it ever will) firefox ever becomes popular it will be revealed to be much buggier that IE ever was.
Just to be clear, the user doesn't care. In "user" terms, there is a web page, and a browser that fails to render it is broken. This is intensely annoying to those of us (and this includes me as well as you) with technical mindsets, but it is true nonetheless.
I'm well aware of the nature of XML, and what the standards people would like to have happen. I'm also well aware of how frustrating it is to run a web site that has to work in browsers that's don't support the standards; I maintain a large site myself using XML, XSLT, HTML and CSS amongst other buzzabbreviations. However, the simple fact is that in the real world, standards are simply a means to an end (or not). If you're writing software for users, then the user experience is all that matters. Anything else -- standards, security, UI, file formats, whatever -- matters only to the extent that it affects the user experience.
As an interesting aside, you might like to read the AC reply to your previous post as well, and note that in fact C compilers do frequently have to deal with not-quite-right code because C programmers, like web developers, make mistakes.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Unfortunently for Mr Larry Osterman the www today is consisted of really "we formed html + more) code and the randomly mallformed pages are very few in number. The fact that MsExplorer does not crash on mallfomed code cannot by itself cannot make me feel secure and switch for example from firefox to MSiE. The problem out there today is that there are very carefully crafted sites,scripts,"applets" (not to mention even jpeg's) that are waiting to be rendered REALLY succesfully by our "trusted" MSiE and noone else. So I am waiting fom my firefox to crash on a randomly mallformed site and I leave all the succesfull rendering of all the "other" sites to MSiE
I find it amazing that anybody puts bytes in a buffer without doing a boudary check.
There is more than enough CPU power to do it and it would dispose of entire classes of attacks.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
OK, a lot of replies to my post have been the usual defence of Moz. I understand that; most of us are fans, and like many of you I use Firefox myself. But really, I didn't mention the margin hack and I didn't mention pages that browser detect. Gecko is quite capable of messing up perfectly standards-compliant pages in its own right.
For example, try playing with HTML+CSS pages and working with list tags. Try it particularly while you're working with block elements, floats, etc. You can easily get things like bullet points for unordered lists floating off the left of the containing box -- clearly not the intent of CSS standards. Trying to use an in-line format for lists rather than the usual vertical arrangement is a road to ruin as well. To their credit, they are getting better, but there are plenty of examples like this where IE does get it right and display a page sensibly, while Gecko's display is at best unpleasant. If you're going to give a point to Moz/FF for getting the box model right, you really have to give a point to IE for understanding elementary CSS when applied to lists.
Although we're talking about HTML specifically in this thread, there have been plenty of problems with XML/XSLT in Moz/Firefox as well. Simple XSLT elements for things like counting just didn't work properly for a long time, which meant those of us who really wanted to use XML+XSLT+CSS for Intranet sites and ditch HTML altogether couldn't if we used Moz (though IE can count, apparently) and had to use some intermediate step to generate (X)HTML that Moz could render properly instead. Again, to their credit, I think the dev team fixed this specific XSLT issue a little while back now, but it was outstanding for a long time.
Those are two concrete, and quite wide-ranging, examples where IE is clearly superior in how it renders the page, according to W3C standards, to Gecko-based browsers. Some web pages do work properly with IE and don't work properly with Gecko, even if they are completely compliant with W3C standards. Can we just learn to workaround the box model flaw like everyone else and play nice now, please? :-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Anyone try feeding "randomly malformed" code to C#?
100% valid CSS and XHTML continues to crash IE.
It mentions there is no scripting or stylesheets in this test--just random HTML tag soup. So yes, there was a very defined, arbirtrary range established. The results are disappointing for IE competitors for sure, but given IE is at major release SIX and at the end of its life cycle, while the likes of Thunderbird are for less mature (barely at 1.0 and at the early stages of its life cycle) I would expect and demand no less than perfection from IE.
Given the arbitrary limits on this test, it appears to be designed specifically to make IE look better than its competitors and prove some point rather than be an objective investigation. It is well known that the most serious problems in IE are with scripting and CSS support being unstable, broken or incomplete. A similar test should be conducted of IE should be done with these included. Kudos to the author of the bugtraq entry for doing this kind of testing, but I don't think the editorial commentary regarding the amount of testing of these browsers or their attention to security is warranted or productive.
The author freely admits he did not seriously analyse the source code for the root cause of these crashes (and in the case of IE, he cannot do so even if he wanted to--but that doesn't stop him from proclaiming it as superior quality). He also provides no evidence that these bugs compromise security in any way beyond consuming system resources, so it was not exactly appropriate to attack their security abilities without further study.
As to the jibe about lack of testing...Many of these alternatives are open source projects, not yet at official 1.0 release yet people! Being open source, the whole point of exposure is to get many eyes looking at the code, and get people involved in improving the code. He seems to know a great deal about programming so I suggest he volunteer some of his spare time to the Mozilla project to make things right, if he is indeed THAT concerned about the issue.
'All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to...'
Did they forget to mention that IE didn't appear to crash any more than it normally does, regardless of malformed HTML?
Computers are useless. They can only give answers. --Pablo Picasso
Ran test on mine, coz I was bored.
Didn't see a problem with Konqueror 3.3.0. I had a look at all the files in the pretty gallery and ran the cgi thing for about 15 minutes before getting bored of watching random stuff.
Top marks KDE team. r0x0r
Gaelon 1.3.15 survived for the 15 minutes of the cgi thing I could be bothered with again, but died on the gallery stuff.
Bad Gnome. sux0r
Yes, I know 1.3.15 is oooold. I don't update my Gnome stuff for a reason. Seems I have another reason now.
I took sandpaper and scraped it all over several media, including VHS, DVD, CD, Betamax and Vinyl.
The VHS and Betamax performed much better than the others, particularly of note was the DVD, and CD. They failed miserably.
George II -- Spreading Freedom and American values, one bomb at a time.
lots of broken code. Hmmm- do I smell another MS rat?
Tried the gallery examples, firefox crashes reliebly, links does too (from the error messages it looks like they actually catch the NULL pointer - it says "malloc returned NULL pointer" - but don't react to it)
However, I was not able to crash lynx with the example. It takes a while to render the page, but it renders it just fine (considering it is actually invalid HTML). Perhaps it depends on the amount of memory you have.
If I remember correctly, while ago there were rumors being circulated that IE is specifically designed to deal well with invalid HTML. Lot of people were of the oppinion that it is really bad, and that invalid HTML code should be rejected. Thay said IE basically encouraged sloppy web design.
AccountKiller
...when I tried it in IE. Although, several other links given did work, and IE crashed.
I suspect that like MS's security holes, IE's crashes are worse than thsoe of rivals: try using OBJECT to embed a webpage in itself for example.
Internet Explorer has a well-deserved reputation for working well on nearly every web page that matters - i.e., those involving the exchange of money. It's only its abuse in monopoly practices, i.e., Microsoft's absurd attempt a few years ago to shackle a simple web browser to OLE and ActiveX "standards" the world rightly sneers at, that makes my hackles rise. If the devil is a woman, Internet Explorer is her browser of choice, and would be mine except that Apple ties "security" to the use of Safari, a vastly inferior product imho.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
It's Michal, not Michael, you illiterate Yankees. ;-)
/., since /. is encoded in ISO-8859-1 instead of Unicode...).
In fact, the "l" shoud have a strike (sth like a small "/" on it, but this won't render on
http://shit.slashdot.org/article.pl?sid=04/10/19/0 236213
Isn't this part of the problem with Internet Explorer? It lets any bad code display, thereby promoting rather than discouraging well-formed HTML.
Imagine this as C source code rather than HTML. Would Microsoft be boasting that their compiler was able to produce some sort of binary, despite the code failing on basic type checking and syntax?
...with all browsers I have installed on this system.
Sat there with IE for about 10 minutes, firefox for 2 10 minutes periods, lynx for about 5 minutes, hitting the reload button over and over, approx about ever 1 - 5 seconds, depending how fast did each page load.
No crash in IE or firefox. No crash in lynx, either, hanged lynx after 5 minutes. I didn't have time to wait and see if lynx eventually comes back (in the gallery example, lynx didn't actually go into an infinite loop as the site claims, it just took about 10 minutes or so to render the page).
Crashed links almost immediately every time I tried it.
As far as I can tell, both Firefox and IE handeled it pretty well, considering the garbage being thrown at them.
AccountKiller
The below is all from http://lcamtuf.coredump.cx/
...
"The tendency for entropy to increase in isolated systems is expressed in the second law of thermodynamics -- perhaps the most pessimistic and amoral formulation in all human thought."
Name: Michal Zalewski
Age: 0749482120 seconds
Lifetime: 1866240000 seconds
Height: 184 centimeters
Weight: unknown
Nationality: Polish
Location: California, US
AI and A-Life programming, applied mathematics (fractals, deterministic chaos, dynamic systems), physics, chemistry, electronics. Dirty and weird programming in obscure languages of choice. Drawings, photography, writing. Observing people from safe distance. Looking for hints. Mostly harmless. No drugs. Only happy when it rains.
[lcamtuf::new]
Of most important news, my site got a new sponsor, eProvisia. I wholeheartedly endorse their excellent products - and so does ZDNet, Sophos, F-Secure, Slashdot.org, and ArsTechnica! What else? Got Slashdotted for no appearent reason again. I am wrapping up with my book, in the meantime, you can check out a beta version of fakebust, a rogue code discriminator. There are some new photos, as usual.
[lcamtuf::book]
For a couple of months, I've been working on a humble book of mine, "Silence on the Wire" (subtitle: "A Field Guide to Passive Reconnaissance and Indirect Attacks") to be published by No Starch this fall. The book will be a guide through the world of computing, tackling mathematics and electronics while discovering what security is about, and how to deal with it in a creative manner, and perceive it as an inherent property of all communications, not a set of adverse circumstances.
No one has enough resources to fix every bug, not even Microsoft.
With $50 billion on hand, it'd be nice if they actually tried.
gewg_
This is simply a misunderstanding of the article (no offense). The examples are specific outputs of a random machine. The outputs in question happen to kill the browser the file is named after. So by testing the html pages that are presented you've missed the beef of the article/posting, which is the random machine that came up with those specific html pages.
The true test is to download the man's application mangleme.cgi, install in on a server, and then point Safari at it.
I have done this and Safari (1.3 developer release) crashes quite quickly.
So does IE 5.2 for the mac.
As a side note. Netscape/Mozilla has had something, similar, but not quite the same as this for some time now. Called Browser Buster. It did not generate random html, but did continuously feed real websites, chosen somewhat at random until the browser crashed. I remember we used to have goals, like "last 24 hours on browser buster".
Joseph Elwell.
sooo, basically, Every browser cept IE crashes when they are forced to, but IE is the only one that crashes when it is not supposed to...sounds like this study only makes IE look worse... -jordan
Another test he could do is to report all the bugs he discovered that he can recreate on demand to the team that writes the browsers, and see which team comes up with a fixed version the fastest.
<business manager>
<shrug/>
Some customers are worth losing. I'd rather spend my limited budget in a way that appeals to 95% of the visitors to my site.
</business manager>
I agree that it would be nice if web sites were all written according to standards and all worked in any browser. But right now, the world doesn't work that way, and expecting businesses to adopt some sort of moral stance on this at the expense of potentially vast sums of money is unrealistic.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
5 minutes of clicking refresh http://lcamtuf.coredump.cx/mangleme/mangle.cgi and no crashes or memory leaks showing in activity monitor
I just checked all the "free samples" against IE 5.00.2314.1003c (the Win2K team's internal build, and the only IE version that I consider halfway decent). It dates back to late 1999. My copy has NOT been patched.
NONE of the samples crashed my IE5.00.
mozilla_die3.html *did* cause IE5.00 to ask to access the internet (per ZoneAlarm's popup); from the simple HTML involved, I don't see why that happened, so I consider this response a security issue.
Otherwise the worst result was a really stupid looking text entry box (about 1/8th inch wide and half an inch tall).
~REZ~ #43301. Who'd fake being me anyway?
[input type]
I've known this since 1997. It just goes to show that IE requires the fewest bytes to crash at will. If that's not enough evidence of how easy it is to crash a browser, play around on http://www.digicrime.com/.
But what do I know. I'm sure I'll get flamed for saying that anyway. ("duh there's a NUL pointer!" You mean character 00? So what?)
At least a browser crash won't lock up my OS or overwrite other portions of memory. Lesser evils and all that.
C|N>K
Clever, but surely the reason such buffer overruns are dangerous is because RETURNS are executed out of the same stack. Keep those addresses in a separate stack and the problem goes away. I can't see why CPU manufacturers don't do this, they would have a great marketing tool too - "use our processor and stop viruses!". It's this mix of code and data on a stack that is the root cause of this type of exploit, and seems to me it could be fixed very easily.
Safari 1.2 for OS X 10.3 does not crash, Camino 0.8.1 does. Helloooo, TalkBack.
Mozilla die1.html
mozialla die 3.html
Watch the difference when you remove IE with http://litepc.com/. It's like night and day. The problem is that IE preloads its dlls as you boot into Windows. Yes, you can thank IE for slowing down boot times. If you truly want to figure IE's footprint, it's a whole lot more complicated than just checking what shows in Taskmgr.exe....
... and I must say it was neat to see. It looked like Lynx just wasn't doing anything, so I kept clicking Help - About in Program Manager. The free memory kept dropping. Thankfully I run WfW 3.11 with 512 MB of RAM. :) Anyway I only had 300-some megs of memory left, so I figured I'd play it safe and click Settings - Terminate. That memory did not free up until I restarted Windows for Workgroups. Fortunately that takes under 3 seconds to do. :) :)
I remember the old reliability test of Unix commands which showed that GNU versions were much less likely to crash or do odd things when given random or pathological input. I would have expected the same sort of results with free web browsers. Still, well done to Microsoft for making their HTML parsing code robust against this kind of bug.
-- Ed Avis ed@membled.com
ftp://invisible-island.net/temp/lynx2.8.6dev.7b.pa tch.gz
It's too bad it can't deal with properly formed html.
Well, you know what they say: "Stupid is as stupid does". Does it really surpise anyone that broken code "shines" on broken code? Who knows, the errors might fix some of IEs bugs. Sigh... if only it were that easy.
My first thought on this was "IE renders bad code that other Browsers choke on" which isn't exactly unkown to me. So I'd hardly say that the report really reflects all that well on IE. I've seen things before that although they didn't cause other browsers to crash they did render wrongly under anything other than IE, whereas IE just happily skipped the problem and rendered it the way that the author was expecting despite the bad code. So I'm not exactly thrilled that "Bad code doesn't crash IE", as it's a symptom of anotehr problem.
Having said all of that one thing that I've believed about Browsers is that they should fail gracefully. Kinda why I hated NS4.x and CSS. At least other non-CSS-compliant browsers would straight-render my old pages - Netscape just mangled it.
So from the looks of the article it seems that the other browsers aren't exactly handling the bad code is a very good way. If badly coded stuff causes a page to bomb-out then it's definitely a flaw.
Like I said, though, no side really comes off best here. 'Cos it means either your browsers dies on particularly bad code, or it renderes bad code "perfectly" and thus causing problems when "Well it runs fine on my Browser" is the only method of testing.
Tiggs
"120 chars should be enough for everyone..."
...does use the same gecko engine, but it was written from scratch at a time that IE was already quite mature.
That said, there now seems to be a fire burning under the butts of team Mozilla, so expect things to be fixed rapidly.
It's comforting to know that his intentions are good--to make sure we simply get better software.
It's good to see that MS has removed the "crash" tags from IE's "feature list" and that tag soup will no longer kill it. It shows that MS is actually being serious when it says that it hasn't abandoned IE.
That said, I really hope Zalewski conducts a similar test involving scripting/DHTML/CSS. To this day I don't have to try hard to make IE barf on that stuff. In those cases the problem is even more insidious in IE--it doesn't crash much but it does mangle the document appearance. For example, IE makes things invisible when they should be visible onscreen, but they still behave like visible objects programmatically, etc. CSS is very strange in IE in particular...
... the reason IE is so exploitable is that it swallows anything without crashing ... right away.
Enough already. If "I think any use of unordered lists in combination with floats currently leads to the bullet points off the left margin problem" isn't clear enough for you to try it out, you guys really aren't informed enough to be in this conversation. Still, just for you, here's a trivial example that obviously breaks in Firefox up to at least 0.9.2. Just add clutter to turn it into the standardised HTML version of your choice...
Rather embarrassingly, it also breaks Slashdot's <ECODE> tag. :-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
no, no, no. Crashing is not error handling, and crashing is not strict HTML handline, crashing is LACK of competent error handling. Rendering incorrect pages liberally _is_ better than crashing, though error handling would be better.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
JavaScript is Turing-complete, so if your HTML includes JavaScript, you're doomed, but I believe that HTML and CSS are not Turing-complete, so it should be possible to prove that a given HTML input can be rendered.
I appear to have a blog. Odd.
However, with HTML, you can just render the slice that's visible to the user, rather than the entire document. Thus, assuming displays are of finite size, you can bound the complexity of the render engine.
I appear to have a blog. Odd.