Slashdot Mirror
IE Shines On Broken Code
mschaef writes "While reading Larry Osterman'a blog (He's a long time Microsoftie, having worked on products dating back to DOS 4.0), I ran across this BugTraq entry on web browser security. Basically, the story is that Michael Zalewski started feeding randomly malformed HTML into Microsoft Internet Explorer, Mozilla, Opera, Lynx, and Links and watching what happened. Bottom line: 'All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer references, memory corruption, buffer overflows, sometimes memory exhaustion; taking several minutes on average to encounter a tag they couldn't parse.' If you want to try this at home, he's also provided the tools he used in the BugTraq entry."
Since it may not be obvious to all readers, be aware that when you can make a program crash by feeding it bad data, you can typically further manipulate the data you are sending it to take control of the program. That means a security hole. This is how buffer-overruns work. You can't always do it, but you can think of each way you can crash a program as a little "crack" in its exterior. If you can figure out a way to pry apart the crack, you've got yourself a hole.
.NET languages, rather than programming in straight C like the others) which as a side effect prevented such problems.
So many of these "bugs" in Mozilla, Opera, Lynx, and Links are likely security holes as well.
It is interesting, then, to see that Internet Explorer did so well on this, with its notoriously bad history on security. My first instinct would be that the HTML parsing engine in Internet Explorer was written by a different team of programmers than worked on the rest of the software, and they used proper programming techniques (such as RAII in C++, or perhaps used one of their
Let's hope that all these bugs are taken care of in the other browsers quickly before the black hats find ways to make use of them.
It's hard for thee to kick against the pricks.
There's a good phrase I can use to explain this one:
If you work in a monkey house, you expect to be pelted with shit.
I'd love to read the article, but the page seems to contain malformed HTML...
However, my Mozilla passed the test without crashing. :-P
Money for nothing, pix for free
They didn't say that IE also started randomly installing Bonzi Buddy et al during the test, the users' credit card numbers were automagically emailed to Romania, there was an sudden increase in outbound port 25 traffic from the system, and they ended the session with about 37 momre toolbars installed then they started with.
Does the fact that most of the browsers crash mean that they are vunerable in some way? or does the fact that they do crash a good thing?
Aparently, XPSP2 (including the new IE) was recompiled with the latest visual studio and with all the options turned on to better catch issues.
Without looking at it more closely my first reaction is, well for his values of "random" this might be true. But random is a horribly abused term in computer science. First of all it was no doubt arbitrary within certain ranges rather than random. Then, we need to look at why he chose those ranges.
... the broken app is the king!
...a benchmark that actually measures real-world performance.
With such a powerful parsing engine you would thing IE could parse web standards a little better.
Steal This Sig
Sounds like a "here comes the science" article to me. I find the information in the article lacking since no mention is made of what version of IE is being used to conduct these tests.
I suspect that the mozilla developers will be busy using this same tool to vigorously debug their application...
*shrugs*
So, if you feed IE random crap it doesn't crash? Too bad when you feed it stuff you'd like it to crash on (auto execution of malicous code, etc, it works just fine...)
When all is said and done, I still feel 100% safer surfing the web with some Gecko deriviative...
Yes Francis, the world has gone crazy.
I don't know if they still use it, but the Linux kernel developers used to use a program called "crashme" to help test kernel stability. Essentially, it generated random code and tried to execute it. Something like this for web browsers would make for a very useful procedure. Generate the code, throw it at the browser and log the code if it crashed the browser.
Of course IE can handle broken html. That's what Microsoft Frontpage produces. They have to be able to handle their own product.
As x approaches total apathy I couldn't care less.
Nothing crashed. I got blank pages, all the weird HTML and all, but no errors and nothing crashed. w00t.
This being Slashdot, I had to RTFA to see in what sense IE was shining. (Shining us on = pulling our legs, con job.)
One line blog. I hear that they're called Twitters now.
It encourages web authors to make pages that don't work in other (standards-compliant) browsers. But even MS is getting a bit tired of this, because (1) there are now plenty of pages that don't work even with IE (I encounter them all the time at work), and (2) all the error correction code helps to keep IE bloated and slow.
I have never had a problem with my Firefox crashing (ever). But now thanks to this article, I can correct that. =)
When will it shine on working code?
Konqueror has a neat bug symbol on the lower right corner when displaying buhhy html code.
I think this is a nice feature.
I wish that konqueror would have been tested. It's a good browser.
He starts sending bad data...data the program wasn't intended to read...it crashes...and this make them just as bad as IE? I tried to cat a binary once. My screen shat.
While I must admit that this is a great technique that can be employed by the various alternative browser vendors such as the firefox team to weed out problems. With its track record I find it rather dubious that the guy was unable to crash IE. Im willing to bet there are a couple of people here on Slashdot who know a few tricks that will crash IE with nothing more than a couple of lines of code. Which would enevitabley point to a flaw in his system. If anything at all this highlights IE's highly forgiving HTML parsing.
Electronic Music Made Using Linux http://soundcloud.com/polyp
Larry Osterman is about to demonstrate one of the great values of open source. He's identified a set of malformed HTML and within a few days/weeks someone will have fixed it.
If this were a closed source / Microsoft browser, then there would have to be a complete release cycle before a non-security issue is resolved.
All software has defects, it is the access to the code that allows someone to rapidly fix issues that sets open source apart.
Great, but then it also encourages people to write bad code - see all that code with broken tables and a million tags that remain unclosed?
You're confusing two seperate things here:
This guy has been testing for (2) and not (1). Bad HTML should never cause crashes, memory corruption and buffer overflows. Period.
Finally, you can't go blaming the users for bad input. One of the golden rules of software design is that all software should either reject or handle gracefully bad input. Crashing is not graceful.
Avantslash - View Slashdot cleanly on your mobile phone.
Microsoft can afford a purify license.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
...after it crashes does it hand the keys over to a malicious outsider or does it just stop working?
On my older [less mem, win2k] machine I could get Mozilla 1.5 throug 1.7 to hang by just visiting a lot of pages without using the BACK key. But the mozzie browsers don't have all those hooks into the OS that make backdoor control schemes possible. Mozzie failure modes would make for nuisance DOS, not subjigation of your system. If you accept the results claimed in the blog then its clear that MS did a better job of putting "containment" around their rendering context but the long list of vulnerabilities against IE also means MS has been too feature-happy or naive to avoid control hooks between the container and the OS.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
I know what he was talking about - my point was merely to highlight that IE has a robust renderer.
The renderer adequately makes up for errors in the HTML code, and consequently there are fewer crashes.
The same thing that helps it render bad code helps it withstand what he's just done. I merely said that there is a _downside_ to that capability, too.
Duh. Get it now?
I like the idea that my browser (Firefox) may crash upon finding bad code that could be used to infiltrate my system. This is just another call for web monkeys to write standard html with the browsers to only parsing to said standards, therefore assigning things brought up by this study to history.
This also could be part of the intergration that Microsoft keeps harping on about. The error checking on the html is so good that it can only come from inside the OS*.
* Apologies if this is wrong, I know nothing about OS and Browser coding, and is based on wild speculation only
Assuming this MSFT guy is not lying...
Yes it's a slap in the face. But seriously this is what OSS is supposed to be about. Full public disclosure. If he did find scores of DoS related bugs then the OSS crowd [who like to show their names when the attention getting is good] ought to pay attention and fix the problems.
You can't gloat how open and progressive you are if you scowl and fight every possible negative bit of news.
And "mentioning how bad MSIE is" is not a way to make your product any better [just like "he's not bush" isn't a bonus for Kerry].
So shape up, take it in stride and get to the board.
Oh and while you're at it make Mozilla less bloatware. 30MB of tar.bz2 source could be your first problem....
Tom
Someday, I'll have a real sig.
I have crashed Firefox a few times. And no I didn't try to make it crash, it just did.
You can probably find someone who have crashed both and someone who have crashed neither. Without further information about the crash, feedback on what you have crashed and how many times you have crahed it is pretty much meaningless information.
Catch is, IE did not crash; the machine crashed. So, technically, it's not an IE crash... ;-)
I know.
What I meant was this -
1. Broken HTML is corrected before rendering in IE
2. Therefore, Broken HTML cannot cause the same problems in IE
The fact that even bad code runs is what helps it handle his mangled code. However, the flipside is that this encourages bad code, which is what I meant to say.
None of the samples in http://lcamtuf.coredump.cx/mangleme/gallery/ was able to crash Konqueror from KDE CVS Head. Heheh time to praise Khtml developers again!
Never learn by your mistakes, if you do you may never dare to try again
RTFA. Larry didn't find the broken HTML, he just referenced an article which did.
I saw something like this (not quite, but similar) a few years ago working with Java Script.
I wasn't that experienced with it, and as a result, certain pieces of my code were syntactically incorrect. Specifically, I was using the wrong characters for array indexing; I think I was using "()" instead of "[]". I would never have known there was even a problem if I hadn't been doing side by side testing with IE and Mozilla. A page that rendered correctly in IE would always show errors in Mozilla. This made absolutely no sense to me.
It wasn't until I viewed the source generated by each browser that I discovered the problem. IE was dynamically rewriting my JavaScript, replacing the incorrect delimiters with the correct ones, whereas Mozilla was simply taking my buggy code at face value.
1.) a browser should defiitly not crash when it is fed malformed html.
2.) crashes due to buffer overflow ARE security issues, since they allow you to insert malicious code.
if it was IE that crashed and not mozz, i bet you would have shouted that microsoft made crappy software.
now i am waiting for you to shout that mozilla is crappy software...
(crow disperses, mumbling that that is something totally different.)
This isn' insightful at all. First, you'll be the first person to bitch when a mozilla virus comes out.
Second, "crashing when invalid" as you and many others are alluding to is NOT a good idea. What if you had another tab open with email/urls/info you needed?
What if other software took this route? Invalid operands to open()? Time to crash. Invalid socket used in send()? Time to crash. Segfault in application? Kill the kernel processes!
It's a problem, it has to be fixed and there aren't two ways about it.
Tom
Someday, I'll have a real sig.
The same person tells us that Apache sucks when compared with IIS. Does this mean we've all been wrong about Microsoft products? If we take Microsofts word for it we have indeed and should seriously consider switching back to IIS. After all, [THE FOLLOWING IS SARCASM:] this conclusively proves that IIS is far superior to the Linux Apache Mysql Perl/Python/Php system.
[signature]
way back whend =18827 8
https://bugzilla.mozilla.org/show_bug.cgi?i
(have to copy/paste that url since bugzilla blocks slashdot refer's)
You don't need to know html to write pages for it ;-)
Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.
MSIE passed that problem already. They had that famous bug of which was an invalid NULL pointer. It seems instead of fixing this single bug, they gave a good overhaul to the whole code, fixing all vulnerable places and getting MSIE to swallow any malformed tags.
From what I've seen on Bugzilla, I haven't seen Mozilla to have any similar problems. Malformed tags cause misrendering, break pages etc but don't crash it. Or at least, didn't until now. It's just time for Mozilla people to do to Mozilla exactly what Microsoft people did to MSIE.
(about Opera, I'm not surprised. The shortcuts they've taken in DOM to make it "the fastest browser" are more than dangerous...)
Anagram("United States of America") == "Dine out, taste a Mac, fries"
His only criterion is whether the browser crashes or not. Somehow, it disturbs me more that IE doesn't crash; what precisely is the effect of the bad code then?
I agree that these are all potential security holes, yet the article author mistakenly correlates crashing with vulnerability.
What if IE is similarly vulnerable yet simply doesn't crash?
From that point of view, at least crashing is an indication that sometihng is not right.
All the same, I consider it a good beginning.
Blearf. Blearf, I say.
so, did he REALLY find many bugs, or did he find just a couple bugs that
manifest themselves with many variations of html that really are doing
essentially the same thing?
So IE is better at handling junk.
Nothing new here...
i cant seem to come up with a sig.
I may be a little paranoid (heck, I actually am) but I've long suspected the IE support for loose HTML was a strategic decision. Go back to the days when Netscape would render a page with a unclosed table tag as blank. IE rendered the page, and I often encountered sites that didn't work on Netscape.
It could be a coincidence, but the loose HTML support of IE led to a situation where some webmasters conclude that Netscape had poor HTML support. You can argue about standards all day long, but if one browser renders and another crashes or comes up blank there isn't much of a contest.
-- Solaris Central - http://w
There's a difference between posting an error message and crashing. So I don't think there's any upside for the other browsers on this issue.
As for allowing sloppy HTML, that's a problem if you think the primary purpose of a browser is to enforce HTML standards rather than display web pages.
I just tested his CGI using FireFox 1.0PR. I reloaded it 50 times, and the browser never crashed.
;)
Maybe his testing skills aren't that up to date? (From viewing the source, it is obvious that his html skills are lacking)
No. I don't care how bad the input is, if my program reads the input and throws an access violation, then it is my job to fix my program, test the input more, assume less about it or whatever, until my program does something more sensible and less dangerous with the input - like giving up with an error message or even an assertion failure.
I repeat: code that crashes with a null pointer error is wrong. End of story.
My Karma: ran over your Dogma
StrawberryFrog
Yes this is one thing that I have disliked about IE over the years people write their sites for IE instead of following standards placed bu W3C (World Wide Web Consortium) So because people have been ignoring standards so has IE. That is why IE is years behind when it comes to standards support.
This troubled me when I took web mastery in college and saw every one writing their sites for IE and no one testing for standards. I confronted my teacher about it. Explained my case and he gave us 10% extra credit if we made all of our sites for the semester standards complaint.
My point is a browser that runs bad HTML code implies bad programing methods.
Linux is like a teepee. It has no windows, no gates, and there's an Apache inside.
One wonders whether this indicates an emphasis on a "test case" driven development process, as opposed to a "functional spec" driven process. Certainly there must be a design rule that says "never crash, assume something and drive on".
Upon reflection, I don't recall ever seeing an error message from ANY browser telling me that a particular web page it is attempting to parse is fubar'd beyond hope, they all just drive on as best they can.
This is particularly highlighted in XHTML pages, where there is an abundance of structural features (strict closing of tag sets, for one) that enable detection of broken code. I don't recall (disclaimer for failing memory) ever seeing a message indicating that the page's code was broken, browsers just muddle through, producing erroneous displays and hoping the result is "good enough".
Perhaps if the browsers reported web page syntax errors -- something blunt (but not crude), like "the web page you are attempting to display is broken and is not properly displayed" in a large translucent block font over the rendered result -- the web would be a more syntactically correct place.
It would have to be something simple enough that Joe User wouldn't reformat his hard drive and reinstall the system upon seeing it, and blunt enough to motivate web content producers to make better code.
Firefox has fast developement, they'll fix this in a month, meanwhile the IE css box model has been broken for the last 5 years, and they still don't have a pop-up blocker built in. I've noticed a few Firefox crashes that sound like this so hopefully its gonna be fixed very soon. I might sound biased against Microsoft, but actually i've been learning C# and loving it! Microsoft are hardcore, they just concentrate on business more than software sometimes, and as a budding young student, close to graduation with plenty of debt whos just totally sold-out i can respect that.
This comment does not represent the views or opinions of the user.
Once had a script that renderd a bunch of large tables (It was a report) - Had the end-table in the wrong spot that made the page look like it had 1000's of nested tables... IE when rendering the page would eat up TONS of RAM and eventualy ither crash or lock up the system......
You just never know..
http://lcamtuf.coredump.cx/mangleme/gallery/
I opened all the pages in tabs in Firefox 0.10.1 under Windows 2000, and Firefox did not crash. It became somewhat unresponsive, but I could still select other tabs, minimise and maximise. I could not load new pages anymore.
Can someone else test this as well, please?
And can someone tell us whether this has security implications or not?
Shouldn't this random input be part of standard testing for any application?
I use it all the time for testing my PalmOS project: the PalmOS emulator has a "Gremlins" mode that throws random events at your application constantly. My basic rule is that if it survives 300,000 events without crashing, there should be no major problems.
Of course it won't catch functional bugs, but it's an incredible tool for catching unchecked inputs, memory leaks and similar problems.
There's a difference between posting an error message and crashing. So I don't think there's any upside for the other browsers on this issue.
Ofcourse.
Nowhere did I mention that it was so, did I?
I do agree that these are quite serious bugs (both of them seem to be associated with datatypes and boundary checks), however IE's ability to deal with retarded code may be what has saved them this time.
Take a second to compare IE's track record for security/stability when compared to Firefox/Mozilla. Also consider that the vast majority of the serious bugs in Moz have been fixed within *hours*. What has MS' response been to several critical vulnerabilities in IE: "Um.... we may get around to fixing it" or "No, we're never fixing that".
Compare this to: "Oh, X has a security bug.... therefore publisher(X) makes crappy software".
Next?
"It is a good divine that follows his own instructions" - Portia, The Merchant of Venice
Pfft, bullshit. Security QA? Riiiiight.
My wife switched to the Fox over a year ago(well, it was called something different then...) because IE was too crash-prone. I didn't tell her to, she asked me if there was something else she could use. That is only one example of someone switching because of stability, I personally know several folks at work who did the same. I haven't used SP2, so I don't know if it's better there, I'm sure it is. But to conclude that IE went through more vigorous security QA is absolutely laughable.
OTOH, this does highlight serious problems with other browsers. OTOH2.0, there are a number of crash bugs in Moz that are known and aren't considered security vulnerabilities, so I wonder if any of the crashers the author found are the same.
Anyway, interesting article with ridiculous conclusions, however some very much needed good PR for IE ;D
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Opera 7.54 on Mandrake loads taht cgi "lite" live demo page succesfully and while refreshing shows random junk. no crashes and no slowdowns.
Ugh. Not the best written Slashdot entry.
:-)
Larry Osterman -- former Microsoft guy; someone forwarded him a post to Bugtraq.
Michael Zalewski -- absurdly brilliant security engineer out of Poland. Did the pioneering work on visualizing randomness of network stacks, passively identifying operating systems on networks, and way way more.
Nothing bad against Larry. But this is all Zalewski
--Dan
The entry refrences this, which just spits out bad HTML from the tools he wrote. I'v been reloading
it _MANY_ times now in firefox 0.10, but havn't seen any crash yet.
Anyone crashed anything on the above link ?
Nevermind using random garbage to crash a browser, you can make IE6 crash with perfectly valid strict HTML.
Try this page in IE6 and then hover your pointer over the link. Crash!!!
Replicating the experiment on mozilla on linux (repeatedly refreshing the url: http://lcamtuf.coredump.cx/mangleme/mangle.cgi) causes NO CRASHES
I think there may be some FUD here...
-
So what? I have never had a problem with my Firefox crashing (ever). Sure, if you try to make something crash, it eventually will. Considering how much security holes IE has, IE could be the missing link, and I still wouldnt use it.
Just because you haven't crashed it doesn't mean it's not happening. I switched my Mom over to Firefox for her computer's safety about 2 months back. She's still using it, but it crashes for her regularly and it's becoming a big frustration for her. As she put it "why does Firefox crash so much, IE never crashed on me?" If Mozilla/Firefox/Opera/etc. hope to continue gaining ground on IE, then this type of thing needs to be addressed.As I see it the major problem that Mozilla/Firefox has is the vast majority of those using it (and most definitely the vast majority bothering to report bugs/crashes) are techies. Why is that a problem? Well we probably don't spend our time to going to "silly" E-card sites and joke sites that use bad flash/html. Sure we can dismiss those sites as not important, because to us they aren't, but to a large portion of the average users out there they're one of the most important things they do in a browser because to them they're fun.
So I'm betting Mozilla/Firefox actually crashes regularly on non-techies simply because they visit sites that most techies don't bother to test the browser on.
Case in point.
Last week I wrote some Perl to process an mbox mail folder. I just wanted a quick and dirty way to view its contents in a web page. A couple of CPAN modules and a few dozen lines of code and thing was done. Then I started to get fancy and dealing with stuff like embedded MIME-encoded GIF images. This was pretty simple to do, but I made a mistake. Once I had the decoded GIF data lying around, I wrote it to the HTML file of the current e-mail message, rather than writing it to a seperate file and writting <img src="foo.gif"> in the HTML file.
I was viewing the results with Firefox 0.10.1. When it got to a message with an embedded GIF, with a big slodge of GIF binary data sitting in the middle of the page, Firefox either just sat there spinning its hourglass, or crashed and burned.
Then I looked at the same file with IE, and the GIF image showed up. I was puzzled for a while until I noticed that in the directory where I had created the file, no GIF files had been created. It is of course arguable that IE should not have attempted to render the GIF image from the binary data sitting in the middle of the page, but it did so without complaint. Not rendering it would also be acceptable.
Firefox, on the other hand, has a number of better alternatives to crashing or hanging. Should it display gibberish (like when you forget to set up your bz2 association correctly) or nothing, or the image? I don't know, and don't particularly care about which course of action is taken. Anything is better than crashing, especially when IE doesn't.
Anyway, I fixed the Perl code, and all is well.
The End
Let's see... it came up with:
...and I'm having a hard time finding anything else. I remember seeing a few before, but I can't find them, and I really should be doing homework right now. CyberArmy used to have a crash page, but I can't find that either. Oh well... but they do exist.
http://www.geoapps.com/ie6crash.shtml: Image exploit that does something to mozilla, but nothing serious
-ReK
md5sum -c reality.md5
reality: FAILED
md5sum: WARNING: 1 of 1 computed checksum did NOT match
Huh? Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10.1 No crashes here. I must not be lucky.
Tell me, Mr. Anderson, what good is a browser when you are unable to access the net?
While it's great that IE can handle 'bad' web code, it really is a seperate issue from security. Now, when the other browsers actually *crash*, this is a concern. Yes crashes *can* be used to determine an exploit, but that doesn't mean they *do*.
To beat the dead horse of the car analogy, if my car doesn't start, it may be the entire electrical system, or maybe my battery is just dead. The moral is don't try to make a mountain out of a mole hill.
Meanwhile, I absolutely despise the fact that IE does handle a lot of 'bad' code. This is a side effect of the IE monopoly on the browsing world. We're not talking about it handling variables that arent declared before they are used or sumsuch. We're talking about code which *should* be causing errors. Since they don't cause errors most of the time (or are hidden from the user) and most web authors only test with IE, there is a massive amount of bad code on the net which is never fixed.
Now I'm glad that the author has found these crashing bugs in the other browsers. This obviously needs fixing, and I'm glad IE is at least stable when it encounters malformed code, but more error reporting needs to be done to the user on all browsers.
Summary:Good review, brings up great points, kudo's to MS for stability. Now everyone go back to work on your browsers and add blatant *THIS WEBSITE AUTHOR DOES NOT WRITE PROPER CODE* dialogs to all your error messages. It's the web author's fault, it's time we told them so.
-- I have fans? Wow.
Well I'm using Mozilla 1.7.2 on debian (stable) and mozilla_die1.html and mozilla_die2.html both caused my mozilla to crash. Whatever you may think of IE vs mozilla vs whatever, you have to admit that a browser crashing can be a little anoying.
Test if your code is good or not at http://validator.w3.org/
Evolution or ID?
Mozilla shines on broken code too!
What was this story suposed to prove? Oh! You mean browsers running on Windows crash. But they are supposed to crash on Windows. Windows has only one browser.
When you run his tests with Mozilla on Linux it has no problems with the code.
Strange story guys
realkiwi
This just in - a formal testing procedure helps reduce bugs.
In this world nothing is certain but death, taxes and flawed car analogies.
These kind of tools make a hacker proud :-).
Simple, effective means of testing program to find bugs. I'm certainly sold on using this kind of program to test my code. Of course it's only the tip of the iceberg; similar tests should exist for css, javascript, images, http, ftp, etc. etc. etc.
--Eamon
Basically, the story is that Michael Zalewski started feeding randomly malformed HTML into Microsoft Internet Explorer, Mozilla, Opera, Lynx, and Links and watching what happened. Bottom line: 'All browsers but Microsoft Internet Explorer kept crashing on a regular basis
That's great! Now I can finally read all those randomly malformed sites I've been bookmarking lately.
It's never that simple. If you're talking about an end-user application that crashes, I'd probably agree. But it can certainly be appropriate for libraries to have undefined behaviour given bad input, rather than spending lots of time performing validity checks that are really the client code's job. (Think high-performance mathematical code, where the validity checks can cause unacceptable slow-down.)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Unfortunately, handling the test cases provided with the post doesn't mean it's ok. Browsers were run with randomly generated test cases, and the article says that usually a hundred or so tests were required to cause a crash. The probability of a poorly written browser crashing on any given case is low.
The chances of any single test case being problematic are low, so passing the cases provided doesn't mean Safari is safe. If someone downloaded the cgi that automatically generated tests and left Safari with that for a few hours without crashes, we could then say that it lacks the flaws that Mozilla and Opera have.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
"The renderer adequately makes up for errors in the HTML code, and consequently there are fewer crashes."
This suggests that the solution for preventing crashes is to be liberal about what HTML you allow. You were making excuses for the other browsers implying that they were crashing because of their strict HTML handling, but the fact is that they could have posted an error rather than crashing and still been just as strict.
I just downloaded and ran his test suite against Firefox 1.0PR.
Everything looks fine to me. No crashes. I also ran it against his CGI and the "die" gallery in the tarball. No problems, though it did stop for a few seconds a few times.
Now, he does mention that sometimes the crashes are due to memory exhaustion. I've got the suite running right now on another tab of the browser I'm typing in, and the memory usage is going up, but only very slowly; I think it's due to the logging in the JavaScript console that's happening due to the bad JavaScript that's running over there. After 15 minutes of constant reloading, it's up from 39 to 44 megs. So maybe if you reloaded bad JavaScript constantly for a couple of days, you might eventually run out of memory. Certainly if there's a memory leak, it should be fixed, but IMHO that's not a security hole, while crashing indicates the possibility of one.
Using Safari 1.2.3 (v125.9) and all is fine. Tried the online version of the tester and just got a blank page (with crazy source). No crash, no hang, no problems as far as I can tell.
Score one to the kool aid.
It's a little unfair to blame Microsoft for that. I mean, they create a more flexible product, and people take advantage of that to be lazy. Surely it's the fault of the people, not the product creator. Blaming Microsoft in the this instance is like blaming car manufacturers for selling cars with ABS and traction control, since it encourages people to drive badly (e.g. when they change to a car without ABS and traction control).
[alk]
... and here's why.
With correct data (in this case, HTML), there is a specified action that is "correct". In other words, a correctly marked up table will get layed out, according to the W3C rules for laying out tables. A paragraph will get formatted as a a paragraph, etc.
With malformed markup, the "correct" thing to do is indeterminate. If every browser just takes its best guess, they will all diverge, and the behavior is wildly unpredictable. Even from version to version of the same browser, the "best guess" will change.
"So? You've just described the web!" Well, exactly, but it could have been avoided. Bad markup shouldn't render. It ain't rocket science to do (or generate, though that can be a harder problem) correct markup. If you had do it to get your pages viewed, you would. Ultimately, it wouldn't cost anymore, and would actually cost less (measure twice, cut once).
Of course, what I just wrote only really applies in a heterogenous environment ... which MS doesn't want ... fault tolerance in your own little fiefdom can make sense.
FYI http://bugzilla.mozilla.org/show_bug.cgi?id=265027 (copy/paste, Bugzilla doesnt like /. links)
How come this guy felt it was more appropriate to post this to a widely-read security mailing list than to submit a bug to Bugzilla? Complaining about QA to a group of security experts doesn't improve the product. That's what's great about the Mozilla Foundation, and Open Source in general. Don't just complain "Waah, it's broken", file a bug!
Luckily, someone did it for him: Bug 264944. I can't link from here, but if you visit http://bugzilla.mozilla.org/ and put the bug number in the little search field, you can see it for yourself.
I tried this script on both Mozilla firefox at least 40 X now, and it hasn't crashed yet...
You'll also notice none of this random code tests activex security either, or many of the MS extensions which "enchance" security either.. So I think the tests should be taken more with a grain of salt.. Also while he did say null dereferences, its potentially due to all the same 1 or two flaws, and may not be exploitable at all..
Take this with a grain of salt I'd say, because when you check the tags being tested, there aren't a great amount..
Actually, i just write my html freeform, and if it runs ok in Safari for me, it should be fine for everyone else.
I hardly feel superior to anyone, only to ACs such as yourself.
I suggest you ponder the following statement:
If something is worth doing, it's worth doing right.
It's what we elitist, insecure petty nerds call 'compliant'
Then again, it's quite hard to write 'wrong' ASCII, but you'll probably ask me to ponder:
If something is hard to do, it's not worth doing at all
Some of us who give a damn actually need certain HTML features.
As to your questions, everything I do has the security, uptime, accessibility, and reliability that I need.
I have one more question for you:
Are you over 40 and stuck in a dead end IT support or Junior Admin position? Or are you by any chance Eric S. Raymond?
Enjoy your 'real' life, because I more than enjoy mine, together with my insecure girlfriends, petty salary and elitist friends
Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.
I must be blind, I completely didn't notice the gallery. I am running hte October 18th nightly of Firefox on Windows XP SP2, and it crashed on mozilla die 1 and 2.
But the thing is that although there are a couple examples there of garbage that crashes mozilla, there are also plenty out there for IE too. I was working as a web developer for a corporate intranet for the last year, and I found many interesting ways of crashing IE6 with Javascript (I can't recall crashing Mozilla with Javascript at any point), but there are also HTML only ways to crash IE.
Almost everytime I click on an article, what appears on screen makes me feel like I am loading broken layout code into my browser, resulting in multiple clicks of the Reload button.
However, the same code works fine in Internet Explorer, every time.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
He should have randomly fed STABLE code into each of the browsers and saw IE continue to freeze and hang while the other browsers continued to present real data to the end user ;) Sure IE may not suck for bad code, but I like to look at real code with real information and I know that IE hasn't quite figured that one out yet ;)
You create your own reality - Leave mine to me.
My point is a browser that runs bad HTML code implies bad programing methods.
Bad implementation of the standards maybe, but it has nothing to do with the programming methods.
Processor power is cheap compared to engineer salaries. If you aren't prepared to take the hit for an "if(foo)" conditional, then be prepared to pay for my time in finding the flaw in your code.
If you were blocking sigs, you wouldn't have to read this.
Perhaps the compiler and Memory Manager is such as to automatically discourage the software to do destructive buffer overflows?
I've noticed in the past that with writing flaky software in windows you can just ignore many memory related errors and continue with execution... or at least this is more common practice. In most cases this is justified IMHO.
HTML is out there, and millions of malformed pages exist. Most of this is a result of mistakes by authors, but some of it is a result of the moving target that HTML has presented in the past. /. story is also about how various browsers, including the saintly Firefox, can be made to *crash* given certain input. Just thought that should get a mention :)
While your argument is attractive in principal, in practice it's misguided. The horse has bolted. in 2004, no-one would use a browser that didnt work with a huge proportion of the web's content. This is an area where pragmatism is required.
And to respond to the ubiquitous MS-bash, let's step back and remind ourselves that this
(And BTW, I speak as a Firefox user)
I tried out Firefox a couple of days ago, and was pretty pissed off that it would crash while doing, quite literally, nothing. I had loaded slashdot and fark in seperate tabs. Was off playing pokerstars in wine.. went to go back to firefox after about 10 minutes, and realised it wasn't in my task bar anymore. Oops!
unstable. as. hell.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
I wonder what happens when I try the output on the w3c validator.
So can those people who have tested his code write
PS: I'm here at work on Mac OS 9 and all browsers are pretty old, so I don't write anything...
I don't need a signature.
I downloaded the tool and started looking in the files. The first file is the Makefile. Here I noticed some confusion between globing and regular expressions. The expression core.[1-9][0-9]* would make a lot of sense if it was a regular expression. But shell expansion does usually not use regular expressions but rather globing, which is slightly less powerful. That means make clean does not remove a file named core.9, but does OTOH remove a file named core.10abc. Of course he is not the first person to make that mistake, and it is easy to miss when testing.
Do you care about the security of your wireless mouse?
But handling it sufficiently well that you don't crash would be a good thing?
Cheers,
Roger
Do you have any better hostages?
I've once managed to kill my Windows XP by similiar experiment. I've wrote a simple ASPX that generated randomly damaged WMFs and displayed them in browser doing reload afterwards. I don't know how well WMF problems were fixed after several WMF-related vulnerabilities are published, but the problem is that metafile data is directed right to GDI32 via PlayMetafile() and some of not-so-checked data even manages to get through to kernel-level win32k.sys. EMF has similiar problems. During these cruel experiments I've caused IE to crash many times, and after 30 mins of testing i've got BSOD. I've rebooted Windows, and it didn't find it's registry ... :( NTFS was severely damaged, and unfortunatelly the corresponding "test case" (broken wmf) was lost...
I think the point is: If IE responded to bad HTML by showing a blank page, there would be less bad HTML in the world. That doesn't excuse other browsers crashing, but it does mean that IE's behaviour is slighty better, not right.
A tool like this would let the average wanna be contributer find a reproducable bugs and try to fix them. Which brings me to my dumb question: Is the Mozilla gecko engine more easily built/tested than the whole of Firefox? I love FF, and wouldn't mind throwing some cycles at improving it, but the entire build process is a bit more than I really want to take on... If I could just build and unit-test the failing component I'd be more likely to try.
Anyone have pointers beyond the hacking section at MozillaZine?
My guess that most of the issues are the latter two, though obviously this needs to be verified. Most things probably stem from poor error handling and edge case. It will be interesting to see if this turns up any real security holes.
This reminds me of the article some years ago about a project reported in an ACM publication to feed broken command lines to UNIX. They found numerous problems doing that.
Having done both commercial and open source software, I've not found one to be all that better than the other. Sure the best open source project is better than the worse commercial. I'm just not sure the average is that different.
You raise a nice question.
I would love to see a plugin for Firefox which enforces a "use strict" like with Perl.
When the plugin is enabled (a buildin option would have my preference, though), bad code won't be rendered at all.
Just like in the days of Mozilla prior to 1.0, before then it hardly ever rendered bad html, afterwards they focussed more on the "Website compatibility"
I'm not quite sure what this is supposed to prove. I refreshed the page a good 20 times at least, in 'Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1' and no crashing whatsoever. Could this be a Windows-only bug?
And also, about those NULL pointer references... the only ones I found were displayed in the JAVA CONSOLE and did nothing to affect the stability of the browser.
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
A person writing a 'Linux advocate article' is likely to be making extensive use of CSS in order to properly separate the document structure and style. In other words they create documents that are easier to maintain and comply with the standards.
I don't suppose most of them will cry if IE renders it slowly but I doubt that's their primary reason for doing it, although they'll certainly be aware that IE's CSS compliance sucks.
So I'm betting Mozilla/Firefox actually crashes regularly on non-techies simply because they visit sites that most techies don't bother to test the browser on.
My wife uses Firefox on Win2k. In the months she's had it it has maybe crashed once. She visits all sorts of random sites that "techies wouldn't test their browser on"
I've been using Firefox since it was Phoenix and Mozilla pre 1.0 before that. Combined all generations of the browser have crashed maybe a dozen times for me.
Contrast that to IE that crashes about every 10th time I use it.
It probably depends on the computer, what else is running, etc. etc. I'm willing to bet that has much more to do with it than the browser itself. You can also report these bugs and they will get fixed.
The Anti-Blog
With malformed markup, the "correct" thing to do is indeterminate.
Well, that's debatable, but one thing that's for certain is that you absolutely should not crash due to malformed data. That's bad enough in a browser that doesn't support tabs, but in a tab-capable browser it's unforgivable. That one unparsable webpage that causes the browser to crash is a serious annoyance if it takes out another dozen or so tabs in the process.
Even ignoring questions of pragmatism (raised by other respondents), at the very most the browser should display some sort of "malformed page, unable to display" error. User input (which this is essentially) should not be able to crash an application. My compiler doesn't crash because of syntax errors in my code, why should my web browser?
It's official. Most of you are morons.
sorry, that's all i got...
Could somebody explain why bad pages can make a browser crash? For what I know, if a parser is fed illegal code, it simply returns "failure in parsing" or something like that. Why should it crash?
Bad markup shouldn't render.
It shouldn't crash the browser either.
If any input, even a pathological one, can crash my program, then I need to fix my program. Always.
My Karma: ran over your Dogma
StrawberryFrog
I tried using Safari 1.2 on OSX and have had no problems. No crashes, no hangs, no problems. Loaded the test a few dozen times.
Assuming he used Mozilla, did he file a report in Bugzilla?
But it can certainly be appropriate for libraries to have undefined behaviour given bad input
Well, that is arguable. All that means in a case like that is that the code that needs to be fixed with some extra checks is the client code to that library. It still needs a fix somewhere.
My Karma: ran over your Dogma
StrawberryFrog
At least I tried these examples with Konqueror and it did not hang or crash.
I tried the mozilla ones with Mozilla 1.6 and firefox 0.9.1, and they both crashed and burned. The Opera test crashed my Opera 7.54 (opera remembers where it was, so yay).
I tried the lynx (version 2.8.5rel.1) one, and um.. well.. Linux doesn't handle programs eating memory really quickly very well. I was getting mouse lag, and my system was really unresponsive. I hit ctrl-c about a thousand times, and managed to bring up KDE system guard and kill it.. it was using like 500MB of RAM. Nasty nasty stuff.
-- The doctor said I wouldn't get so many nose bleeds if I just kept my finger out of there!
You mean Gnu/Linux/Apache/Mysql/Perl/Python/PHP system, right?
I have 3656.9 Bogomips. How many Bogomips do you have?
Are we assuming that having a program continue to run after parsing bad code is a good thing? Yes, it keeps running until someone can find a way to malform the code enough that they can take complete control over your machine.
I think I'd rather use a browser that abends.
The1Genius - Littera Scripta Manet
...because it doesn't need the .NET CLR installed to run.
I have never had a problem with my Firefox crashing (ever).
Yesterday Firefox crashed numerous times on this page (great show BTW) after I clicked on a character and then clicked the 'character bio' link. I got to the page by clicking a link in an email in Outlook 2003. I've had this happen occasionally while browsing. I can't really compare IE, since I rarely use it. All in all, I'm pretty satisfied with Firefox--they probably just need to clean it up a bit.
It's easier to wear the spandex than to do the crunches. --David Lee Roth
I tried each of his 'die*.html files and none of them killed my browser. Most just resulted in blank pages.
I'm using Safari, on OS X (10.3.5)
I drank what? -- Socrates
HTML 4 Transitional was designed so that it wouldn't be so much work for sites to change their markup from the previous, somewhat ad-hoc standards. As a result, it includes various tags and attributes from HTML 3.2, usually to do with more visual aspects of page layout. Such features aren't present in HTML 4 Strict, where CSS is used for visual formatting (almost) throughout.
In HTML 4 Strict, how does one number an ordered list starting at 10? The value attribute of the li element (<li value="10">) is missing.
$ badhtml.o | /dev/null
hey, my script doesn't crash either, and it's only one line! of course, the caveat is that it only displays GOOD tags about as well as IE, too...
They just used
On Error Resume Next
I Encrypt My IM's
RTFA before modding this whatever...
Or does it seem rather amusing that IE, a poorly written browser with many security holes that *brilliantly* links into the OS (not), allows poor code not to crash it...
Then again... properly written code it seems to have problems with.
Oh well.. I guess that's what you get.
The price is always right if someone else is paying.
I wonder if arbitrarily rendering image code spat into the middle of a page could be used as a vulnerability? Anyone ever try this?
You're reading Slashdot. Of course you like Linux and pc hardware
I hope you have reported the hang on http://bugzilla.mozilla.org . I would even mark it as security sensitive and as a possible Firefox 1.0 blocker.
It's only when people actually report these kind of problems, that they will actually get fixed. Otherwise you can still wait a long time for a fix, as it's not very likely someone else will hit this bug.
...and what about the that he fails to mention then eh? http://www.neilturner.me.uk/2004/May/04/the_input_ type_crash_bug.html
To be secure, you really need two passes, the first to ensure that it "compiles" correctly, or probably better to partially display as it compiles correctly or correctively. I don't imagine we'll see such a slow browser though.
Someone tried to say that crashes=security-hole. That is possible but doesn't follow. It is quite possible that IE's recovery system is going into wierd areas of the code in the recovery and that might be the greater security hole. What IS IE doing? If something crashes, it might be a DoS, but at least it doesn't send your password file. I don't think I've seen very many cases where these are exploitable - you can't "inject" code, merely cause a crash. Maybe the others need an exception handler?
IE has had more documented holes (and fixes). Maybe they will find more in FireFox and Mozilla as time goes by, but I doubt it. If they do I think they will be fixed more quickly since Firefox is NOT part of the OS. The monolithic design has its flaws. There is a dicipline in having to be cross-platform and by separating out the components - flaws tend to be isolated.
Netscape used to crash very often. Looks like the Mozilla people didn't learn much from it.
b id=182569">Description of Internet Explorer security zones registry entries</a>
n dows\Curr entVersion\Internet Settings\Zones\0\Flags
w s\Curre ntVersion\Internet Settings\Zones\0\Flags
Mozilla is just as sucky security-wise as the old non-mozilla Netscape (3.x 4.x). Whether it is OSS or not doesn't make it secure/insecure, it's the programmers that count. Look at Sendmail and Bind (and many other ISC software), security problems year after year for many years. Look at PHPNuke - security problems month after month for years. Look at OpenSSL and OpenSSH and Apache 2.x - not very good track records. Compare with Postfix and qmail, djbdns.
Most programmers should stick to writing their programs in languages where the equivalent of "spelling and grammar" errors don't cause execution of arbitrary attacker-code. Sure after a while some writers learn how to spell and their grammar improves but it sometimes takes years. For security you need _perfection_ in critical areas, and you need to be able to identify and isolate the critical areas _perfectly_ in your architecture.
To the ignorant people who don't get it. Crashing is bad. A crash occurs when the (browser) process write/read data from areas where it shouldn't be touching, or tries to execute code where it shouldn't be executing. This often occurs when the process somehow mistakenly executes _data_ supplied by the attacker/bug finder, or returns to addresses supplied by the attacker...
This sort of thing is what allows people to take over your browser, and screw up your data (and possibly take over your computer if you run the browser using an account with too many privileges).
So while the FireFox people get their code up to scratch maybe people should reconsider IE - IE isn't so dangerous when configured correctly. Unfortunately it's not that simple to do that.
To make even unpatched IE browsers invulnerable to 95% of the IE problems just turn off Active Scripting and ActiveX for all zones except very trusted zones which will never have malicious data. Since I don't trust Microsoft's trusted zone (XP has *.microsoft.com as trusted even though it doesn't show up in the menus), I create a custom zone and make that MY trusted zone.
By all zones I mean you must turn those stuff off for the My Computer zone as well - but that screws up Windows Explorer in the default view mode (which is unsafe anyway).
For more info read this: <a href="http://support.microsoft.com/default.aspx?k
To make the My Computer zone visible change:
(for computer wide policy)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi
To: 0x00000001
(for just a particular user)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windo
To: 0x00000001
If you don't want to edit the registry and make the My Computer zone visible, you can still control the My Computer Zone settings from the group policy editor (gpedit.msc) or the active directory policy editor.
You just have to know some Microsoft stuff. But hey, securing an OSS O/S and _keeping_ it secure (esp when u need to run lots of 3rd party software) also requires some in-depth knowledge.
Jon Postel said it best: "Be liberal in what you accept, and conservative in what you send." A web browser that crashes due to invalid HTML fails this test. Execution must stop at once... yes, but the program should handle the error. A program that crashes is the Operating System handling a program with bug. See RFC 1122 for more details about the Requirements for Internet Hosts. Section 1.2.2 about the Robustness Principle explains better than I can why you're wrong.
Admittedly, crashing isn't supposed to happen either, but I'd like to see one of these turned into an exploit before its declared an exploit. The argument that IE Buffer Overflow exploits are found and exploited in this manner doesn't mean that all program crashes are potential Buffer Overflow exploits - that's just does not follow.
It appears from other posters that the behavior depends on the OS you're running, which leads me to guess it might be an issue involving both the OS and the browser rather than just a browser issue.
Along those same lines, the security issue is going to be vastly different depending on the OS you're running the browser under. Mozilla may not provide the same security exploit under your OS as it does under Windows. Example: This bug fix (http://www.mozilla.org/security/shell.html) directed at fixing a *Windows Exploit*.
Finally, you'll not convince me Internet Explorer is a browser to use until its no longer a wide-open-gate for adware/spyware, virus and worms. Even then, I'm gonna have reservations based on IE's history.
Wanna be safe on the Internet? Use anything but IE.
My affinity for hyperbole knows no bounds
So I was running the Mangle CGI from his site:. cgi
w d.dat
http://lcamtuf.coredump.cx/mangleme/mangle
and got this weird page:
----------
I see a bad moon rising.
I see trouble on the way.
I see earthquakes and lightnin'
I see bad times today.
Don't go 'round tonight,
It's bound to take your life.
There's a bad moon on the rise.
The page you are looking for is still somewhere around... Go and find it, if you can!
For private files archive, click here.
------------
the "click here" redirects to:
http://lcamtuf.coredump.cx/_private%20warez_/
which looks like:
----------------
SECEXPERTS ARCHIVE: RESTRICTED ZONE
Enter XGB password:
----------------
of course, i dont know what the password is, so i just put in something, and it says:
---------------
SECEXPERTS ARCHIVES: ACCESS DENIED
INCORRECT XGB:21 PASSWORD!!!
Your password is not valid. Try again.
To recover your password from XGB token certificate file, please download it here and use the recovery agent. In case of any troubles, please mail me.
-----------------
The "download it here" is a link to: http://lcamtuf.coredump.cx/_private%20warez_/pass
and the "please mail me" is a link to:
mailto:lcamtuf@coredump.cx
Interesting..... Very interesting....
I sure am glad I use emacs to surf...
All's true that is mistrusted
A looong time ago I designed hardware. A young software guy was given the task of writing a diagnostic for a memory board I had designed. He spent a lot of time investigating bit patterns and data patterns that caused failures in the specific memory chips we used.
About 4 weeks after he started, he came to me and congratulated me on my marvelous design: his test had run for 2 days solid with no memory failures. Not that I have trouble taking a compliment or anything... I asked to see the test setup. I unplugged one memory chip and the test still passed.
A week later he came back and told me that now it worked. Yeah, it would detect one chip pulled in one bank but when I pulled a different chip from each bank on the memory board it only detected the first bank failure over and over again.
The point of this story is: the software engineer was only interested in whether or not the test ran. I was interested in whether or not the test actually caught errors.
Now: why in the hell did it take a Microsoftie to code up this kind of test and run it on these browsers? How did the coders of these browsers test? By just feeding each browser properly formed HTML and making sure that they rendered right? That is only 1/2 the job!
I now write embedded firmware for a living. I only spend about 1/4 of my time getting the software to do what it is supposed to do with well-formed input. I spend the other 3/4 of the time making sure that mal-formed input does not cause the code to do anything hinky!
Credit where credit is due: kudoes to Microsoft for this particular facet of their browser. And shame, shame, SHAME on the open source coders responsible for those browsers!
bet not. :-) Just stop touting Firefox as the end-all-be-all of browsing. Everyone has problems. IE is just the most publicized.
Bad markup shouldn't render.
Well, here's an example of where XML is your friend. XML requires well-formedness in code; if something like an end tag is omitted, the page is not well-formed and is broken. A correctly-conforming XML parser (such as the Gecko engine) will not render the page, but will display an error message.
This doesn't absolutely prevent someone from writing an XML parser that, like HTML parsers, stumbles its way through bad code, but it is explicitly outlined in the RFCs for XML that non well-formed code should not be rendered. (And practically speaking, XML parsers really do have to honor this; by definition it would be nearly impossible to have an XML parser that rendered XML correctly if it was agnostic to well-formedness.)
Mozzie failure modes would make for nuisance DOS, not subjigation of your system.
I thought getting a DOS prompt on a remote system through the web browser was subjugation of the system.
I think a lot of people are missing the point here. I don't have time to personally verify whether the author's claims are correct; let's assume they are. The type of errors he saw are potentially the type that could be exploited via the tried-and-true buffer overflow method. This is the kind of thing that leads to "execution of arbitrary code", in other words, 0wnage. If Bad Guys craft a apecial web page, they could target those of us who use these non-IE browsers.
In other words, the people who have been defending IE (and Microsoft in general) by saying "your Mozillas and Operas have been safe from security problems only because nobody uses them" will not only have a field day, but now the clock is ticking. There's proof that there are promising means of attack against these browsers. Someone is surely going to research this. I really hope the good guys developing these browsers rise to the challenge and tighten up the code before we (the people who have been recommending them for years) start losing credibility. I'm inspired to look into helping them out.
Sorry if this seems incoherent, I keep getting interrupted as I type this. Stupid work...
I am utterly confused what brwoser to use tomorrow.
This is clearly a lot of security problems for mozilla/firefox.
Opera is also not an option since the opera_die clearly is an security breach on opera.
Lynx is an option (limiting the memory of the current session. ) but is ugly.
i.e. has a long history of security problems and that is an important issue not to use it.
Should i use one of the other browsers that is not i.e. based?
Because the complexity and importance of our web browsers continues to increase, security of those applications will never be "solved" or "fixed".
Other steps must be taken to deal with these issues. What we can do is treat the symptoms.
For those using Linux or UNIX, privilege separation (running the browser process as a user ID that has limited rights) and a chroot jail would be major steps forward.
I believe the browser projects need to work with the community to support that type of runtime configuration.. Before a big nasty vulnerability does damage.
Chroot, in particular, is very tricky.
It's common knowledge that IE is fault-tolerant. So it can render malformed code... wake we when it can finally properly render well-formed code.
It's not exactly what you wanted, but at least this HTML validator extension for Windows or this validator bookmarklet doesn't require an $800 hardware key.
Ther are no exceptions to Postel's Law.
Why is anything anything?
Well, here's an example of where XML is your friend.
Not if you're trying to maintain compatibility with the 94-percenters. XHTML doesn't work in IE. Send XHTML with the proper Content-type: application/xhtml+xml and you get a Save As... dialog box; send XHTML with text/xml and you still don't get access to the HTML DOM.
The fact that it does crash some browsers indicates that they probably are trying to run part of it as code
No, it doesn't. Not at all. For example, if I feed the program "i=i/x" the number "0" for x that program may crash. But that doesn't mean the 0 was executed as code or something.
There are many ways of crashing on bad data that don't point to this kind of security problem. In order for a malicious exploit, you need to get bad data in just the right place - in a place where the address of some legitimate code is stored, and where that address is going to be used. You then need another fairly certain location for the exploit code you can point to.
Sometimes a crash does point to a vulnerability like the above (usually do to stack return addresses). But often not. And suggesting that all crashes point to some execution of data is just wrong.
Let's not stir that bag of worms...
I understand your point, but are you sure you replied to the correct post? This has nothing to do (if anything) with what I said in the parent...
My point is to rebute the argument of the grandparent which assumes that rendering well broken HTML and not crashing on broken HTML is completely dissociated...
Write boring code, not shiny code!
Assembling etherkillers for fun an profit
Firefox crashes out on me once or twice a day, taking not only the page it was rendering but all the other tabs I had open with it.
Sure, perhaps malformed HTML shouldn't render. But I'd much rather it rendered than crashed the browser, which is bad.
I used to have Firefox crash and burn regularly on various webpages - linux and windows. The browser would segfault and be gone, sometimes without visible errors
Eventually I noticed it seemed to be mostly with pages having Flash content. I ended up nuking my plugins folder and reinstalling the flash/Java plugins, now it crashes a lot less.
While the article indicates it is possible to crash on bad code, you might want to check your plugins too just in case.
...I first read about it in this CACM article (v33#12, Dec 90). The authors generated random text strings and fed it into UNIX utilities, producing a variety of entertaining crashes and lockups.
"A good portion of the paper discusses common mistakes made by programmers that caused the utilities to fail..." want to bet they mention buffer overruns? (sadly, full text requires ACM membership)
now watch as all the browsers implement this, and millions of geeks around the world scream because they can no longer read slashdot.
If I don't put anything here, will anyone recognize me anymore?
Come on guys, this is so obviously propoganda. The guy spends a month trying to find a way to crash mozilla, when it took me 2 minutes on google to find a way to crash IE:
t en-things-to-do-in-cleveland-before-youre-dead/
http://www.meyerweb.com/eric/thoughts/2004/09/14/
-ben
I did much the same to test a user interface written by another programmer on a project we were assigned to. The interface wasn't a gui, it was a pure ASCII type, so I wrote a random character generator and threw the output at her interface for days at a time. Crash. Crash. Crash. It was wonderful. I don't know that it found every flaw, but I'll bet no one ever killed her interface by leaning on the keyboard (as actually happened on an earlier project I'd heard about).
I ran into similar issues with IE ignoring stuff and Mozilla catching it a few years ago when I was developing one of my first web applications with servlets. Mozilla was a great browser for testing my web apps during development. I remember I had a bug in my code that was supposed to populate a dropdown with options from a database but instead choked somewhere in the model layer and populated it with a bunch of breakspaces. Mozilla would show me the space characters in the dropdown where IE simply ignored them and pretended like the dropdown was empty.
It's a real pain in the neck for IE to not try to show what's actually there because when I first looked at the page in IE I assumed that I just wasn't getting what I wanted from the database since my dropdown was empty. In reality it wasn't empty, IE just didn't want to show me 1000 breakspaces as an option in my dropdown which is bad from a developer's standpoint. However, masking and hiding bad code and data is something that I absolutely want a browser to do when the application is out in production being used by my clients.
The bottom line is you should always develop your web applications with a browser like Mozilla that is going to catch your mistakes but once your application is out the door it's better for clients to be using a broswer that will hide any mistakes you didn't catch!
While I'm not thrilled that the browser I use seems to have some egregious problems in its parser, I feel Larry's done us (free software community) a huge service by providing us with the tools that highlight those areas that need improvement.
sloth_jr
NSCA Mosaic successfully survives all of these pages. This just shows that programmers these days Just Plain Suck, and Mozilla is the living embodyment of this.
There's no good reason that code should be vulnerable to integer or buffer overflow issues like this.
Would you accept 6mm nuts for 8mm screws? After all, the primary purpose of the shop is to sell you stuff, not to enforce the standard...
Stephan
It appears that the overall quality of code, and more importantly, the
amount of QA, on various browsers touted as "secure", is not up to par
with MSIE; the type of a test I performed requires no human interaction
and involves nearly no effort. Only MSIE appears to be able to
consistently handle [*] malformed input well, suggesting this is the
only program that underwent rudimentary security QA testing with a
similar fuzz utility.
So.. maybe Microsoft code isn't so bad, after all? Let's see the spin on this from the MS-is-the-devil crowd..
I am the maverick of Slashdot
I still use IE because IT WORKS. Sadly, IE may not be the most standard compliant browser, but very few web pages are standards compilant. Firefox and mozilla and whatever are al cool, but many sites (particuarly those with non-technical submatter :-P) just do not work as intended outside of IE because they were built for IE.
http://brandonbloom.name
I have to ask:
When saying that Microsoft Internet Explorer didn't crash, does he mean that the window never went away, or that the program iexplore.exe stayed running? I can't prove it, but I suspect that the "IE" window would survive a crash of the rendering engine, because the window is actually provided by explorer.exe, which is the desktop manager.
I also suspect that several of the open source browsers could defend themselves against this kind of crash within a day or two, simply be using a two process model. Personally, I would rather they did not! (I want to see it fail, otherwise I would not know something was wrong.)
Of course, what I just wrote only really applies in a heterogenous environment
Wrong. This only applies in a homogenous environment where you can force everyone to write good HTML and force every application to ignore bad HTML. In the real world every developer and web-developer makes his choice. And it just so happens (by virtue of natural selection) that for browser-developers it makes most sense to write code that understands bad HTML. This way their product works better, users are happier and their browser enjoys the 90% market share. Microsoft is not evil (in this regard), they are just being rational.
Future Wiki -- If you don't think about the future, you cannot have one.
I wonder how much of IE's "stability" is because of good code and good parsing, and how much of it is due to the fact that IE didn't *know* it's eggs were scrambled?
It wouldn't be the first time that a program went on "running", only to *eventually* go out to lunch and not come back.
At least the others *noticed* that something was wrong - and died.
You aren't remembered for doing what is expected of you
Every sizeable project is likely to have bugs - fact of life. What's going to be really telling is seeing how long these problems take to get fixed as compared to the average MSIE exploit.
I watched "Moon Child", the VCD verison, and BOTH times when Xine reached the end of the VCD, as the last of the credits rolled, the entire laptop locke up.
.9.x release, and has not normally done this on other DVDs or VCDs I've watched. Just with Moon Child, the Japanese version with English & Jpns/Chns subtitles. Periodically, after taking 10 screen snaps with Xine's camera icon, Xine would just disappear. I'd then have to stop Alsa, by running /etc/rc5.d/S17also force-restart
Nothing worked, not even ctrl+fn+someletter would work. I am an avid Lxr, and I only use win98 inside Win4Lin, but last night I even had that off, I reniced MySQL to something like +15, and at one point reniced Xine to -9 or -10 before shutting it and restarting it.
However, I was off-line, and did not even have Firestarter nor Etherape running, so my CPU is not being overloaded. I do notice, unrelated to Xine, that running Win & in X4ce starts MUCH faster (as when KDE is FRESHLY run) than currently in KDE. I imagine one of my hidden dot files or authority or temp files is trashed, or maybe something in a win4lin path is hozed. Maybe my box has been cracked weeks ago. I dunno. Have to check my logs.
However, I accept that xine is
And if Xine was alive at that point, the force-restart would kill it dead.
I know this is not exactly along the lines of browsers, but if VCDs and DVDs are being watched while a user is on-line, who knows if a batch of bad code is being fed to the userspace tools? Who knows if other compromises already on the box are aggregating to worsen things with a new breach's arrival. Fortunately, I prefer to yank my ethernet anytime I'm not surfing. I tend to yank my bband router, too, to keep its visibility low.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
The Internet can be accessed just fine (spyware, viruses, and worms aside) with a Pentium 100Mhz computer. Windows XP cannot be installed on such a machine.
That's not even a very tough test. A tougher test would be to generate calls which are permuted slightly from valid ones.
grep -iw skynet
no wonder IE is so slow compared to other browsers.
Just to be clear, the user doesn't care. In "user" terms, there is a web page, and a browser that fails to render it is broken. This is intensely annoying to those of us (and this includes me as well as you) with technical mindsets, but it is true nonetheless.
I'm well aware of the nature of XML, and what the standards people would like to have happen. I'm also well aware of how frustrating it is to run a web site that has to work in browsers that's don't support the standards; I maintain a large site myself using XML, XSLT, HTML and CSS amongst other buzzabbreviations. However, the simple fact is that in the real world, standards are simply a means to an end (or not). If you're writing software for users, then the user experience is all that matters. Anything else -- standards, security, UI, file formats, whatever -- matters only to the extent that it affects the user experience.
As an interesting aside, you might like to read the AC reply to your previous post as well, and note that in fact C compilers do frequently have to deal with not-quite-right code because C programmers, like web developers, make mistakes.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Unfortunently for Mr Larry Osterman the www today is consisted of really "we formed html + more) code and the randomly mallformed pages are very few in number. The fact that MsExplorer does not crash on mallfomed code cannot by itself cannot make me feel secure and switch for example from firefox to MSiE. The problem out there today is that there are very carefully crafted sites,scripts,"applets" (not to mention even jpeg's) that are waiting to be rendered REALLY succesfully by our "trusted" MSiE and noone else. So I am waiting fom my firefox to crash on a randomly mallformed site and I leave all the succesfull rendering of all the "other" sites to MSiE
I find it amazing that anybody puts bytes in a buffer without doing a boudary check.
There is more than enough CPU power to do it and it would dispose of entire classes of attacks.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
OK, a lot of replies to my post have been the usual defence of Moz. I understand that; most of us are fans, and like many of you I use Firefox myself. But really, I didn't mention the margin hack and I didn't mention pages that browser detect. Gecko is quite capable of messing up perfectly standards-compliant pages in its own right.
For example, try playing with HTML+CSS pages and working with list tags. Try it particularly while you're working with block elements, floats, etc. You can easily get things like bullet points for unordered lists floating off the left of the containing box -- clearly not the intent of CSS standards. Trying to use an in-line format for lists rather than the usual vertical arrangement is a road to ruin as well. To their credit, they are getting better, but there are plenty of examples like this where IE does get it right and display a page sensibly, while Gecko's display is at best unpleasant. If you're going to give a point to Moz/FF for getting the box model right, you really have to give a point to IE for understanding elementary CSS when applied to lists.
Although we're talking about HTML specifically in this thread, there have been plenty of problems with XML/XSLT in Moz/Firefox as well. Simple XSLT elements for things like counting just didn't work properly for a long time, which meant those of us who really wanted to use XML+XSLT+CSS for Intranet sites and ditch HTML altogether couldn't if we used Moz (though IE can count, apparently) and had to use some intermediate step to generate (X)HTML that Moz could render properly instead. Again, to their credit, I think the dev team fixed this specific XSLT issue a little while back now, but it was outstanding for a long time.
Those are two concrete, and quite wide-ranging, examples where IE is clearly superior in how it renders the page, according to W3C standards, to Gecko-based browsers. Some web pages do work properly with IE and don't work properly with Gecko, even if they are completely compliant with W3C standards. Can we just learn to workaround the box model flaw like everyone else and play nice now, please? :-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
100% valid CSS and XHTML continues to crash IE.
It mentions there is no scripting or stylesheets in this test--just random HTML tag soup. So yes, there was a very defined, arbirtrary range established. The results are disappointing for IE competitors for sure, but given IE is at major release SIX and at the end of its life cycle, while the likes of Thunderbird are for less mature (barely at 1.0 and at the early stages of its life cycle) I would expect and demand no less than perfection from IE.
Given the arbitrary limits on this test, it appears to be designed specifically to make IE look better than its competitors and prove some point rather than be an objective investigation. It is well known that the most serious problems in IE are with scripting and CSS support being unstable, broken or incomplete. A similar test should be conducted of IE should be done with these included. Kudos to the author of the bugtraq entry for doing this kind of testing, but I don't think the editorial commentary regarding the amount of testing of these browsers or their attention to security is warranted or productive.
The author freely admits he did not seriously analyse the source code for the root cause of these crashes (and in the case of IE, he cannot do so even if he wanted to--but that doesn't stop him from proclaiming it as superior quality). He also provides no evidence that these bugs compromise security in any way beyond consuming system resources, so it was not exactly appropriate to attack their security abilities without further study.
As to the jibe about lack of testing...Many of these alternatives are open source projects, not yet at official 1.0 release yet people! Being open source, the whole point of exposure is to get many eyes looking at the code, and get people involved in improving the code. He seems to know a great deal about programming so I suggest he volunteer some of his spare time to the Mozilla project to make things right, if he is indeed THAT concerned about the issue.
'All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to...'
Did they forget to mention that IE didn't appear to crash any more than it normally does, regardless of malformed HTML?
Computers are useless. They can only give answers. --Pablo Picasso
Ran test on mine, coz I was bored.
Didn't see a problem with Konqueror 3.3.0. I had a look at all the files in the pretty gallery and ran the cgi thing for about 15 minutes before getting bored of watching random stuff.
Top marks KDE team. r0x0r
Gaelon 1.3.15 survived for the 15 minutes of the cgi thing I could be bothered with again, but died on the gallery stuff.
Bad Gnome. sux0r
Yes, I know 1.3.15 is oooold. I don't update my Gnome stuff for a reason. Seems I have another reason now.
I took sandpaper and scraped it all over several media, including VHS, DVD, CD, Betamax and Vinyl.
The VHS and Betamax performed much better than the others, particularly of note was the DVD, and CD. They failed miserably.
George II -- Spreading Freedom and American values, one bomb at a time.
"My point is a browser that runs bad HTML code implies bad programing methods."
If Firefox, et. al. simply refused to render the page (i.e. said "HTML too ugly" and showed a blank page), that would be fine. That's not what they are doing. They are *crashing* on bad data. A program should never crash on bad data (no matter how bad); it should generate some kind of exception and take appropriate action.
To put this another way, Firefox is not recognizing that the data is bad. That's why it's a security hole.
Tried the gallery examples, firefox crashes reliebly, links does too (from the error messages it looks like they actually catch the NULL pointer - it says "malloc returned NULL pointer" - but don't react to it)
However, I was not able to crash lynx with the example. It takes a while to render the page, but it renders it just fine (considering it is actually invalid HTML). Perhaps it depends on the amount of memory you have.
If I remember correctly, while ago there were rumors being circulated that IE is specifically designed to deal well with invalid HTML. Lot of people were of the oppinion that it is really bad, and that invalid HTML code should be rejected. Thay said IE basically encouraged sloppy web design.
AccountKiller
...when I tried it in IE. Although, several other links given did work, and IE crashed.
I suspect that like MS's security holes, IE's crashes are worse than thsoe of rivals: try using OBJECT to embed a webpage in itself for example.
Internet Explorer has a well-deserved reputation for working well on nearly every web page that matters - i.e., those involving the exchange of money. It's only its abuse in monopoly practices, i.e., Microsoft's absurd attempt a few years ago to shackle a simple web browser to OLE and ActiveX "standards" the world rightly sneers at, that makes my hackles rise. If the devil is a woman, Internet Explorer is her browser of choice, and would be mine except that Apple ties "security" to the use of Safari, a vastly inferior product imho.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
Oh so very, very funny ... thanks for taking the time to post that AC.
My affinity for hyperbole knows no bounds
...with all browsers I have installed on this system.
Sat there with IE for about 10 minutes, firefox for 2 10 minutes periods, lynx for about 5 minutes, hitting the reload button over and over, approx about ever 1 - 5 seconds, depending how fast did each page load.
No crash in IE or firefox. No crash in lynx, either, hanged lynx after 5 minutes. I didn't have time to wait and see if lynx eventually comes back (in the gallery example, lynx didn't actually go into an infinite loop as the site claims, it just took about 10 minutes or so to render the page).
Crashed links almost immediately every time I tried it.
As far as I can tell, both Firefox and IE handeled it pretty well, considering the garbage being thrown at them.
AccountKiller
This is simply a misunderstanding of the article (no offense). The examples are specific outputs of a random machine. The outputs in question happen to kill the browser the file is named after. So by testing the html pages that are presented you've missed the beef of the article/posting, which is the random machine that came up with those specific html pages.
The true test is to download the man's application mangleme.cgi, install in on a server, and then point Safari at it.
I have done this and Safari (1.3 developer release) crashes quite quickly.
So does IE 5.2 for the mac.
As a side note. Netscape/Mozilla has had something, similar, but not quite the same as this for some time now. Called Browser Buster. It did not generate random html, but did continuously feed real websites, chosen somewhat at random until the browser crashed. I remember we used to have goals, like "last 24 hours on browser buster".
Joseph Elwell.
sooo, basically, Every browser cept IE crashes when they are forced to, but IE is the only one that crashes when it is not supposed to...sounds like this study only makes IE look worse... -jordan
Another test he could do is to report all the bugs he discovered that he can recreate on demand to the team that writes the browsers, and see which team comes up with a fixed version the fastest.
<business manager>
<shrug/>
Some customers are worth losing. I'd rather spend my limited budget in a way that appeals to 95% of the visitors to my site.
</business manager>
I agree that it would be nice if web sites were all written according to standards and all worked in any browser. But right now, the world doesn't work that way, and expecting businesses to adopt some sort of moral stance on this at the expense of potentially vast sums of money is unrealistic.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I just checked all the "free samples" against IE 5.00.2314.1003c (the Win2K team's internal build, and the only IE version that I consider halfway decent). It dates back to late 1999. My copy has NOT been patched.
NONE of the samples crashed my IE5.00.
mozilla_die3.html *did* cause IE5.00 to ask to access the internet (per ZoneAlarm's popup); from the simple HTML involved, I don't see why that happened, so I consider this response a security issue.
Otherwise the worst result was a really stupid looking text entry box (about 1/8th inch wide and half an inch tall).
~REZ~ #43301. Who'd fake being me anyway?
But what do I know. I'm sure I'll get flamed for saying that anyway. ("duh there's a NUL pointer!" You mean character 00? So what?)
At least a browser crash won't lock up my OS or overwrite other portions of memory. Lesser evils and all that.
C|N>K
Clever, but surely the reason such buffer overruns are dangerous is because RETURNS are executed out of the same stack. Keep those addresses in a separate stack and the problem goes away. I can't see why CPU manufacturers don't do this, they would have a great marketing tool too - "use our processor and stop viruses!". It's this mix of code and data on a stack that is the root cause of this type of exploit, and seems to me it could be fixed very easily.
Safari 1.2 for OS X 10.3 does not crash, Camino 0.8.1 does. Helloooo, TalkBack.
I remember the old reliability test of Unix commands which showed that GNU versions were much less likely to crash or do odd things when given random or pathological input. I would have expected the same sort of results with free web browsers. Still, well done to Microsoft for making their HTML parsing code robust against this kind of bug.
-- Ed Avis ed@membled.com
It's too bad it can't deal with properly formed html.
My first thought on this was "IE renders bad code that other Browsers choke on" which isn't exactly unkown to me. So I'd hardly say that the report really reflects all that well on IE. I've seen things before that although they didn't cause other browsers to crash they did render wrongly under anything other than IE, whereas IE just happily skipped the problem and rendered it the way that the author was expecting despite the bad code. So I'm not exactly thrilled that "Bad code doesn't crash IE", as it's a symptom of anotehr problem.
Having said all of that one thing that I've believed about Browsers is that they should fail gracefully. Kinda why I hated NS4.x and CSS. At least other non-CSS-compliant browsers would straight-render my old pages - Netscape just mangled it.
So from the looks of the article it seems that the other browsers aren't exactly handling the bad code is a very good way. If badly coded stuff causes a page to bomb-out then it's definitely a flaw.
Like I said, though, no side really comes off best here. 'Cos it means either your browsers dies on particularly bad code, or it renderes bad code "perfectly" and thus causing problems when "Well it runs fine on my Browser" is the only method of testing.
Tiggs
"120 chars should be enough for everyone..."
...does use the same gecko engine, but it was written from scratch at a time that IE was already quite mature.
That said, there now seems to be a fire burning under the butts of team Mozilla, so expect things to be fixed rapidly.
It's comforting to know that his intentions are good--to make sure we simply get better software.
It's good to see that MS has removed the "crash" tags from IE's "feature list" and that tag soup will no longer kill it. It shows that MS is actually being serious when it says that it hasn't abandoned IE.
That said, I really hope Zalewski conducts a similar test involving scripting/DHTML/CSS. To this day I don't have to try hard to make IE barf on that stuff. In those cases the problem is even more insidious in IE--it doesn't crash much but it does mangle the document appearance. For example, IE makes things invisible when they should be visible onscreen, but they still behave like visible objects programmatically, etc. CSS is very strange in IE in particular...
"Would you accept 6mm nuts for 8mm screws?"
A better question is "Would you prefer a product that can accept 6mm nuts or 8mm nuts for an 8mm screw?"
MS isn't selling HTML.
... the reason IE is so exploitable is that it swallows anything without crashing ... right away.
Enough already. If "I think any use of unordered lists in combination with floats currently leads to the bullet points off the left margin problem" isn't clear enough for you to try it out, you guys really aren't informed enough to be in this conversation. Still, just for you, here's a trivial example that obviously breaks in Firefox up to at least 0.9.2. Just add clutter to turn it into the standardised HTML version of your choice...
Rather embarrassingly, it also breaks Slashdot's <ECODE> tag. :-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
no, no, no. Crashing is not error handling, and crashing is not strict HTML handline, crashing is LACK of competent error handling. Rendering incorrect pages liberally _is_ better than crashing, though error handling would be better.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
JavaScript is Turing-complete, so if your HTML includes JavaScript, you're doomed, but I believe that HTML and CSS are not Turing-complete, so it should be possible to prove that a given HTML input can be rendered.
I appear to have a blog. Odd.
However, with HTML, you can just render the slice that's visible to the user, rather than the entire document. Thus, assuming displays are of finite size, you can bound the complexity of the render engine.
I appear to have a blog. Odd.