Bring Down Internet Explorer In Six Words

Marcion writes "Some handy Japanese guy called Hamachiya discovered a bug in Internet Explorer. Under certain conditions, an asterisk when used as a wildcard can crash IE as soon as the user attempts to go to another page." The article claims the "five HTML tags and a CSS declaration" crash IE7 as well as IE6, but I couldn't get IE7 to fail. This page says that as of June, IE6 was at about 37% market share and IE7 under 20%.

Tear in my eye

[ceeam]

I didn't think I'll see the day when browser crashing on something would be a newsworthy item. We - the industry - have made improvements in the last years I guess.

Re:Tear in my eye

[somersault]

Either that, or /. is going downhill? That's the pessimist's view anyway ;)

No. You're kidding. Can't be.

[Opportunist]

You can crash IE? Really? With a webpage? Who would have thought?

Seriously, here's a phone. Call someone who cares. Or at least isn't surprised. Or at least thinks it's newsworthy.

I don't care if I have to wave karma goodbye now, but sensibly, is there an event running today that tries to see how many really uninteresting, uninspired and utterly pointless "news" can make it to the front page on a single day? Yes, it's possible to crash IE. Hey, breaking news, you can even crash it in a way that allows you to execute arbitrary code. Wow. Teh horrorz.

This ain't news. It may be a new hole detected, but could we at least get less lurid subject lines that sound like it's the end of the world? How about "new bug in IE detected"? It would have been at least as accurate and more objective. You might get the same "duh, no kidding" replies, but at least people wouldn't make fun of you for making something trivial as an IE bug sound like it's the end of the internet.

Re:No. You're kidding. Can't be.

[apt142]

I think what they considered newsworthy about it is the fact that it can be done in 6 words. Not that the bug exists, but rather how simple it is to crash it. They should have put the foot up there for humor if they wanted to get that across IMHO.

That being said, crashing IE is only slightly more difficult that tying my shoes.

Re:No. You're kidding. Can't be.

[bl8n8r]

> Seriously, here's a phone. Call someone who cares. Or at least isn't surprised. Or at least thinks it's newsworthy.

Attitudes like this are why computer security is in such a dismal state. Crashing an application from a remote system means that application is not filtering it's input correctly and is subject to a remote compromise. Just because IE goes bu-bye and starts right up again doesn't mean everything is peaches. By the time you've restarted the app or rebooted windows, you may have already been compromised with the software of choice by the remote. This cold be a backdoor, keylogger, trojan whatever - and you won't even know it other than "my computer is slow". People need to wise-up because malware is getting sneakier and more cost effective for the people that write it.

Articles like this are news worthy because it brings light to the fact that something is amiss and needs fixing. Unfortunately, other than negative PR, there's little incentive for proprietary software to fix these things. That's one of the reasons IE has been, and still is, such a security nightmare. Firefox is only about 2/3 better (3 pages vs. 8 pages) judging by number of CVEs*. Still, security is about lessening risk. It's foolish to use IE these days with much better options available.

[*] - https://www.kb.cert.org/vuls/html/search

No big deal.

[140Mandak262Jamuna]

First please realize I am no MSFT fanboi, I have been extremely critical of that company in my previous postings.

MSFT should try to fix the bug that is crashing IE, because crashes in IE have a tendency to become a remote execution bug later. But still, no point in bashing MSFT on this issue. Browsers crashing on malformed input is well known. Firefox, my fav and only browser, too crashes often on malformed input. There is this thing called fuzzing, sending deliberately malformed input to the browser and see what happens. Firefox used to crash more often than IE under fuzzing. Now they provide fuzzing tools for their testers to strengthen mozilla products.

Re:Browser Metrics

[I'm+Don+Giovanni]

"I tend to use http://www.w3counter.com/globalstats.php more than the w3schools stats, they're usually more accurate since w3schools has a very specific audience."

It may be more accurate, but still not very, considering that it says that Latvia makes up 4% of web usage. ;)