Slashdot Mirror


IE Shines On Broken Code

mschaef writes "While reading Larry Osterman'a blog (He's a long time Microsoftie, having worked on products dating back to DOS 4.0), I ran across this BugTraq entry on web browser security. Basically, the story is that Michael Zalewski started feeding randomly malformed HTML into Microsoft Internet Explorer, Mozilla, Opera, Lynx, and Links and watching what happened. Bottom line: 'All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer references, memory corruption, buffer overflows, sometimes memory exhaustion; taking several minutes on average to encounter a tag they couldn't parse.' If you want to try this at home, he's also provided the tools he used in the BugTraq entry."

14 of 900 comments (clear)

  1. Because it's used to it? by ideatrack · · Score: 5, Funny

    There's a good phrase I can use to explain this one:

    If you work in a monkey house, you expect to be pelted with shit.

  2. hmmm by Anonymous Coward · · Score: 4, Funny

    I'd love to read the article, but the page seems to contain malformed HTML...

  3. What they didn't say by Anonymous Coward · · Score: 5, Funny

    They didn't say that IE also started randomly installing Bonzi Buddy et al during the test, the users' credit card numbers were automagically emailed to Romania, there was an sudden increase in outbound port 25 traffic from the system, and they ended the session with about 37 momre toolbars installed then they started with.

  4. Security Issues by PrivateDonut · · Score: 2, Funny

    Does the fact that most of the browsers crash mean that they are vunerable in some way? or does the fact that they do crash a good thing?

    1. Re:Security Issues by iamdrscience · · Score: 2, Funny

      Speaking of best-guesses, I recall a problem I had in Debian once that resulted in an error message something to the effect of "XYZ not found. Trying to wing it..."

  5. In a land of broken codes... by kusanagi374 · · Score: 2, Funny

    ... the broken app is the king!

  6. Finally... by fredrikj · · Score: 2, Funny

    ...a benchmark that actually measures real-world performance.

  7. Let me get this straight... by jav1231 · · Score: 2, Funny

    He starts sending bad data...data the program wasn't intended to read...it crashes...and this make them just as bad as IE? I tried to cat a binary once. My screen shat.

  8. Re:So what is "random" here? by Kick+the+Donkey · · Score: 4, Funny

    Thats the thing about randomness. You can never be sure.

    --
    /. is a bunch of nerds at a million typewriters. It's not a political conspiracy determined to undermine your beliefs.
  9. Tell me, Mr. Anderson... by b374 · · Score: 3, Funny

    Tell me, Mr. Anderson, what good is a browser when you are unable to access the net?

  10. Re:An important security sidenote by bunratty · · Score: 4, Funny

    Yep, the first mozilla_die entry crashes Mozilla 1.8a4 for me, too. Sounds like the tests are repeatable enough. Now quick, everybody rush to file bug reports and the winners can collect their $500!

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  11. that's easy by nazokoneko · · Score: 2, Funny

    $ badhtml.o | /dev/null hey, my script doesn't crash either, and it's only one line! of course, the caveat is that it only displays GOOD tags about as well as IE, too...

  12. Re:An important security sidenote by FooAtWFU · · Score: 2, Funny

    As a web developer, I find it infuriating that users use a proprietary browser which takes standards-compliant code that results in perfectly good, beautiful pages in every other browser... and mangles it.

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  13. Re:An important security sidenote by Old+Wolf · · Score: 5, Funny

    I have a worse CD.. if you put it in the drive then it starts to install Windows 98 :(