Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

IE Shines On Broken Code

Posted by timothy on Tue Oct 19, 2004 06:24 AM
from the crashing-is-unsafe dept.
Internet Explorer Bug Mozilla IT
mschaef writes "While reading Larry Osterman'a blog (He's a long time Microsoftie, having worked on products dating back to DOS 4.0), I ran across this BugTraq entry on web browser security. Basically, the story is that Michael Zalewski started feeding randomly malformed HTML into Microsoft Internet Explorer, Mozilla, Opera, Lynx, and Links and watching what happened. Bottom line: 'All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer references, memory corruption, buffer overflows, sometimes memory exhaustion; taking several minutes on average to encounter a tag they couldn't parse.' If you want to try this at home, he's also provided the tools he used in the BugTraq entry."
This discussion has been archived. No new comments can be posted.
IE Shines On Broken Code | Log In/Create an Account | Top | 900 comments (Spill at 50!) | Index Only | Search Discussion
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1) | 2

  • Because it's used to it? (Score:5, Funny)

    by ideatrack (702667) on Tuesday October 19 2004, @06:26AM (#10563397)
    There's a good phrase I can use to explain this one:

    If you work in a monkey house, you expect to be pelted with shit.

  • hmmm (Score:4, Funny)

    by Anonymous Coward on Tuesday October 19 2004, @06:26AM (#10563400)
    I'd love to read the article, but the page seems to contain malformed HTML...

  • Slashdot browser testing? (Score:3, Insightful)

    by richie2000 (159732) <rickard.olsson@gmail.com> on Tuesday October 19 2004, @06:26AM (#10563402)
    (http://www.sammamamma.com/ | Last Journal: Friday June 15, @01:49AM)
    It's strangely fitting that the response I first got was the error message: "Nothing for you to see here. Please move along." The Slashdot effect has finally spread to the browser.

    However, my Mozilla passed the test without crashing. :-P

  • What they didn't say (Score:5, Funny)

    by Anonymous Coward on Tuesday October 19 2004, @06:27AM (#10563409)
    They didn't say that IE also started randomly installing Bonzi Buddy et al during the test, the users' credit card numbers were automagically emailed to Romania, there was an sudden increase in outbound port 25 traffic from the system, and they ended the session with about 37 momre toolbars installed then they started with.
  • Security Issues by PrivateDonut (Score:2) Tuesday October 19 2004, @06:27AM

    • Re:Security Issues (Score:5, Insightful)

      by mccalli (323026) on Tuesday October 19 2004, @06:31AM (#10563436)
      (http://www.eruvia.org/)
      Does the fact that most of the browsers crash mean that they are vunerable in some way?

      Potentially.

      does the fact that they do crash a good thing?

      No. Never ever is it a good idea to crash on receipt of invalid data. It's up to the program to try and parse this, realise it can't do so successfully, then act ccordingly (error message, best-guess try, whatever. I prefer error message myself, but can understand those who prefer best-guess).

      Cheers,
      Ian

      [ Parent ]

      • Re:Security Issues (Score:5, Interesting)

        by Trillan (597339) on Tuesday October 19 2004, @06:44AM (#10563510)
        (http://pyile.com/ | Last Journal: Tuesday December 19 2006, @01:33PM)
        XHTML is supposed to be refused if malformed; HTML prior to 4.0 is supposed to be best-guessed. I'm not sure what the behaviour of 4.0 Transitional and 4.0 Strict is supposed to be, but I'm sure it's documented as part of the spec.
        [ Parent ]

        • Re:Security Issues (Score:4, Informative)

          by say (191220) <[on.hadiarflow] [ta] [evgis]> on Tuesday October 19 2004, @06:53AM (#10563573)
          (http://eksploder.mine.nu/blog)

          I'm not sure what the behaviour of 4.0 Transitional and 4.0 Strict is supposed to be

          It's kind of in the name. Transitional should best-guess. Strict should not.

          [ Parent ]

        • Re:Security Issues (Score:5, Interesting)

          by FireFury03 (653718) <slashdotNO@SPAMnexusuk.org> on Tuesday October 19 2004, @07:08AM (#10563674)
          (http://www.nexusuk.org/)
          XHTML is supposed to be refused if malformed; HTML prior to 4.0 is supposed to be best-guessed.

          This reenforces my belief that XHTML is the way forward since it reduces the code complexity of the browser:

          XHTML: Try to parse - fail - give up
          HTML: Try to parse - fail - Try to reconstruct - hit bug - crash

          XHTML is also good because it removes the fuzzy area of what to do if the code is crap - with HTML, a web developer will write a page, won't bother to validate it and just check it works in IE. Since different browsers have different methods of fixing broken code, the results of this page are not platform independent. With XHTML, if the developer writes broken code it just plain won't work. The management who pay the web developer probably don't know anything about standards compliance and if it works in IE the developer gets paid, but if it just sits there with a parse error the developer will either have to fix it or not get paid (Good Thing).

          That said, IMHO there is something to be said for a couple of additions to the XHTML spec:

          1. a button on the "parse error" page which tells the browser to render it as tag soup - that way the end user can try to view the page anyway even if it's broken (whilest still being informed that it really is broken code).
          2. an automatic feedback system in which the browser will post details of the parse error back to the server. Otherwise the developer may never know there's a problem (especially important with dynamically generated markup which may not be easilly validated).

          Similarly, it would be really nice, IMHO, if browsers made it clear (by placing a big X on the status bar or something) when they are viewing broken *HTML* code since this would indicate to the user why the page might not look quite right and would be an indication to the management not to pay the web designer they hired since he is obviously lacking in the ability to do his job.
          [ Parent ]
        • Re:Security Issues by Anonymous Brave Guy (Score:2) Tuesday October 19 2004, @07:09AM

          • Re:Security Issues (Score:5, Insightful)

            by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Tuesday October 19 2004, @08:17AM (#10564154)
            (http://honeypot.net/ | Last Journal: Thursday November 15, @11:49AM)
            But is that according to the people who wrote the XHTML standard, or the user who just wants to see the web page?

            Just to be clear, unparseable XHTML is not XHTML. In "Matrix" terms, there is no web page. Instead, there is a string of text that may resemble XHTML to the casual observer but that doesn't really represent anything at all.

            Arguing that browsers should half-support broken XHTML is like saying that a C compiler should do something whenever it encounters invalid C, since the user obviously wants to run the code and isn't interested in bowing to the pedantic demands of some irrelevant standards committee.

            One is rather more important than the other in this context.

            I agree completely, but I don't think it's the one that you picked.

            [ Parent ]
          • 1 reply beneath your current threshold.
        • Re:Security Issues by xoran99 (Score:2) Tuesday October 19 2004, @07:27AM
        • Re:Security Issues by jrexilius (Score:2) Tuesday October 19 2004, @10:51AM
      • Re:Security Issues by iamdrscience (Score:3) Tuesday October 19 2004, @06:48AM
      • Re:Security Issues by Bas_Wijnen (Score:2) Tuesday October 19 2004, @07:02AM
    • Re:Security Issues by muhcashin (Score:1) Tuesday October 19 2004, @07:00AM

  • which version of IE was it? (Score:5, Informative)

    by jonwil (467024) on Tuesday October 19 2004, @06:29AM (#10563415)
    Aparently, XPSP2 (including the new IE) was recompiled with the latest visual studio and with all the options turned on to better catch issues.
  • In a land of broken codes... by kusanagi374 (Score:2) Tuesday October 19 2004, @06:29AM
  • Finally... by fredrikj (Score:2) Tuesday October 19 2004, @06:29AM
  • Off Topic by z0ink (Score:2) Tuesday October 19 2004, @06:30AM
    • Re:Off Topic by CrazyWingman (Score:2) Tuesday October 19 2004, @07:01AM
      • Re:Off Topic by DrSkwid (Score:2) Tuesday October 19 2004, @07:24AM
      • 1 reply beneath your current threshold.

    • Re:Off Topic (Score:4, Insightful)

      by SpaghettiPattern (609814) on Tuesday October 19 2004, @07:24AM (#10563761)
      With such a powerful parsing engine you would thing IE could parse web standards a little better.

      Has it ever occurred to you that it is in MS interest to parse bad HTML? Maybe even to encourage bad HTML so IE is considered the best browser by the man in the street. Now where's my tin foil hat?
      [ Parent ]
  • Biased = 0? by octaene (Score:1) Tuesday October 19 2004, @06:31AM
  • Excellent! by Mysticalfruit (Score:2) Tuesday October 19 2004, @06:31AM
    • Re:Excellent! by LiquidCoooled (Score:3) Tuesday October 19 2004, @06:47AM

    • Re:Excellent! (Score:5, Informative)

      by metlin (258108) * <metlin@cc.[ ]ech.edu ['gat' in gap]> on Tuesday October 19 2004, @06:51AM (#10563555)
      (http://www.metlin.org/ | Last Journal: Friday July 20, @01:58PM)
      Actually, the code does not seem that great.

      Here's the mozilla_die1.html code
      <HTML><INPUT AAAAAAAAAA>
      And the mozilla_die2.html code
      <HTML>
      <HEAD>
      <MARQUEE>
      <TABLE>
      <MARQUEE HEIGHT=100000000>
      <MARQUEE HEIGHT=100000000>
      <MARQUEE HEIGHT=100000000>
      <MARQUEE HEIGHT=100000000>
      <MARQUEE HEIGHT=100000000>
      <MARQUEE HEIGHT=100000000>
      <MARQUEE HEIGHT=100000000>
      <MARQUEE HEIGHT=100000000>
      <MARQUEE HEIGHT=100000000>
      <MARQUEE HEIGHT=100000000>
      <MARQUEE HEIGHT=100000000>
      <TBODY>
      Attack of the marquees!
      It looks like he came across places where either boundary checks or type checks are not in place.

      Besides, he's had access to almost all the browswer code, hasn't he?

      I mean, these bugs are bad, but I'm sure if I had access to IE's code I could come up with a zillion bugs.
      [ Parent ]

      • Re:Excellent! (Score:5, Interesting)

        by eht (8912) on Tuesday October 19 2004, @07:03AM (#10563646)
        One guy with ten minutes came up with ways to crash Mozilla, Lynx, and Links, yet hundreds of thousands of programmers with years of access to the same code haven't fixed these same bugs.
        [ Parent ]
        • Re:Excellent! by Anonymous Coward (Score:2) Tuesday October 19 2004, @07:05AM
          • 1 reply beneath your current threshold.

        • Re:Excellent! (Score:5, Interesting)

          by roca (43122) on Tuesday October 19 2004, @08:38AM (#10564332)
          (http://www.cs.cmu.edu/~roc)
          On any given day we know of many HTML inputs that will crash Mozilla, and many that will crash IE, and ditto for other browsers. Which ones get fixed is simply a matter of priorities. And we prioritize by looking at the crash to see if it looks like it could be turned into a security hole; looking at talkback data to see which crashes people are hitting most frequently; focusing on the ones that occur on actual real websites, and maybe after that when there's nothing else to do we fix the ones exposed by artificial testcases.

          No-one has enough resources to fix every bug, not even Microsoft.
          [ Parent ]
          • 1 reply beneath your current threshold.
        • 2 replies beneath your current threshold.
      • Re:Excellent! by Christianfreak (Score:2) Tuesday October 19 2004, @08:11AM
      • Re:Excellent! by sysadmn (Score:2) Tuesday October 19 2004, @08:45AM
      • Re:Excellent! by iabervon (Score:2) Tuesday October 19 2004, @11:23AM
      • Re:Excellent! by joel2600 (Score:1) Tuesday October 19 2004, @01:12PM

      • Re:Excellent! (Score:5, Informative)

        by EMN13 (11493) on Tuesday October 19 2004, @07:09AM (#10563679)
        (http://eamon.nerbonne.org/)
        As he stated in the article; the crashes are sometimes platform-specific.

        I've tried this in 1.0PR firefox on win32, and the crashes do occur there.

        I've gotta say - this really looks like a great tool; a simple and effective way of finding some bugs!

        --Eamon
        [ Parent ]
        • Re:Excellent! by GAlain (Score:1) Tuesday October 19 2004, @07:55AM
      • 2 replies beneath your current threshold.
    • Seems true for Slash code, too. by Vandil X (Score:2) Tuesday October 19 2004, @07:34AM
    • Re:Excellent! by SpaghettiPattern (Score:1) Tuesday October 19 2004, @08:01AM
      • Re:Excellent! by Tralfamadorian (Score:1) Tuesday October 19 2004, @01:14PM

  • This is a blessing in disguise (Score:5, Insightful)

    by Darren Winsper (136155) on Tuesday October 19 2004, @06:32AM (#10563442)
    (http://www.winsper.org.uk/)
    I don't know if they still use it, but the Linux kernel developers used to use a program called "crashme" to help test kernel stability. Essentially, it generated random code and tried to execute it. Something like this for web browsers would make for a very useful procedure. Generate the code, throw it at the browser and log the code if it crashed the browser.
  • Frontpage by bmongar (Score:2) Tuesday October 19 2004, @06:32AM
    • Re:Frontpage by Angostura (Score:1) Tuesday October 19 2004, @06:55AM
      • Re:Frontpage by bmongar (Score:1) Tuesday October 19 2004, @06:59AM
        • Re:Frontpage by ggy (Score:1) Tuesday October 19 2004, @07:57AM
      • Re:Frontpage by g051051 (Score:1) Tuesday October 19 2004, @08:26AM
      • 4 replies beneath your current threshold.

  • Tried with Safari on OS X ... (Score:5, Informative)

    by Anonymous Coward on Tuesday October 19 2004, @06:32AM (#10563445)
    Nothing crashed. I got blank pages, all the weird HTML and all, but no errors and nothing crashed. w00t.
  • Shining us on by AndroidCat (Score:1) Tuesday October 19 2004, @06:33AM
  • This Is to MS's Clear Business Advantage... by judmarc (Score:2) Tuesday October 19 2004, @06:33AM
  • Great by Nehle (Score:1) Tuesday October 19 2004, @06:34AM

  • Konqueror and bugs (Score:3, Informative)

    by Anonymous Coward on Tuesday October 19 2004, @06:35AM (#10563458)
    Konqueror has a neat bug symbol on the lower right corner when displaying buhhy html code.
    I think this is a nice feature.
    I wish that konqueror would have been tested. It's a good browser.
    • 1 reply beneath your current threshold.
  • Let me get this straight... by jav1231 (Score:2) Tuesday October 19 2004, @06:35AM

  • All Other Browsers? (Score:3, Interesting)

    by polyp2000 (444682) on Tuesday October 19 2004, @06:37AM (#10563470)
    (http://www.polyprecords.com/ | Last Journal: Friday October 03 2003, @02:20PM)
    While I must admit that this is a great technique that can be employed by the various alternative browser vendors such as the firefox team to weed out problems. With its track record I find it rather dubious that the guy was unable to crash IE. Im willing to bet there are a couple of people here on Slashdot who know a few tricks that will crash IE with nothing more than a couple of lines of code. Which would enevitabley point to a flaw in his system. If anything at all this highlights IE's highly forgiving HTML parsing.
  • The power of open source by swinefc (Score:2) Tuesday October 19 2004, @06:38AM
  • The reason for this is simple by smartin (Score:2) Tuesday October 19 2004, @06:38AM
  • All software has failure modes, question is... by museumpeace (Score:2) Tuesday October 19 2004, @06:38AM
    • DOS? by tepples (Score:1) Tuesday October 19 2004, @09:52AM
  • Coding to Standards by dapulli (Score:1) Tuesday October 19 2004, @06:39AM

    • Re:Coding to Standards (Score:4, Informative)

      by Jedi Alec (258881) on Tuesday October 19 2004, @06:46AM (#10563526)
      I'd really prefer it to just refuse to parse the page mentioning that the code is bad instead of crash. As much as I like Firefox/Moz, when a piece of software is fed bad data, it should say so, not die on the spot, ever.
      [ Parent ]

  • Let the insults fly... (Score:3, Insightful)

    by tomstdenis (446163) <tomstdenis@g m a i l .com> on Tuesday October 19 2004, @06:39AM (#10563484)
    (http://libtom.org/)
    Assuming this MSFT guy is not lying...

    Yes it's a slap in the face. But seriously this is what OSS is supposed to be about. Full public disclosure. If he did find scores of DoS related bugs then the OSS crowd [who like to show their names when the attention getting is good] ought to pay attention and fix the problems.

    You can't gloat how open and progressive you are if you scowl and fight every possible negative bit of news.

    And "mentioning how bad MSIE is" is not a way to make your product any better [just like "he's not bush" isn't a bonus for Kerry].

    So shape up, take it in stride and get to the board.

    Oh and while you're at it make Mozilla less bloatware. 30MB of tar.bz2 source could be your first problem....

    Tom
  • Catch by Quixote (Score:2) Tuesday October 19 2004, @06:40AM

  • Tested Konqueror (Score:5, Informative)

    by unixmaster (573907) on Tuesday October 19 2004, @06:41AM (#10563495)
    (http://cekirdek.pardus.org.tr/~ismail | Last Journal: Thursday December 23 2004, @07:19AM)
    None of the samples in http://lcamtuf.coredump.cx/mangleme/gallery/ [coredump.cx] was able to crash Konqueror from KDE CVS Head. Heheh time to praise Khtml developers again!
    • Re:Tested Konqueror by Anonymous Coward (Score:2) Tuesday October 19 2004, @06:49AM

    • Re:Tested Konqueror (Score:5, Interesting)

      by Anonymous Coward on Tuesday October 19 2004, @06:50AM (#10563550)
      http://lcamtuf.coredump.cx/mangleme/mangle.cgi

      You're right, none of the samples work with Konqueror, however after doing a little testing myself with the above page it just took me about five tries to make it crash.

      Bad luck? Maybe, but just try it yourself.
      [ Parent ]
    • Re:Tested Konqueror by Anonymous Coward (Score:2) Tuesday October 19 2004, @06:51AM
    • Re:Tested Konqueror by BrianHursey (Score:1) Tuesday October 19 2004, @08:10AM
    • Re:Tested Konqueror by WindBourne (Score:2) Tuesday October 19 2004, @10:25AM
    • Re:Tested Konqueror by alexborges (Score:1) Tuesday October 19 2004, @12:04PM
    • Re:Tested Konqueror by StormReaver (Score:2) Tuesday October 19 2004, @01:33PM
    • 2 replies beneath your current threshold.

  • I've seen that before (Score:5, Interesting)

    by hwestiii (11787) on Tuesday October 19 2004, @06:41AM (#10563498)
    (http://hwestiii.dnsalias.net/)
    I saw something like this (not quite, but similar) a few years ago working with Java Script.

    I wasn't that experienced with it, and as a result, certain pieces of my code were syntactically incorrect. Specifically, I was using the wrong characters for array indexing; I think I was using "()" instead of "[]". I would never have known there was even a problem if I hadn't been doing side by side testing with IE and Mozilla. A page that rendered correctly in IE would always show errors in Mozilla. This made absolutely no sense to me.

    It wasn't until I viewed the source generated by each browser that I discovered the problem. IE was dynamically rewriting my JavaScript, replacing the incorrect delimiters with the correct ones, whereas Mozilla was simply taking my buggy code at face value.

  • Reality Distortion Fields ON! (Score:3, Insightful)

    by Zarf (5735) on Tuesday October 19 2004, @06:46AM (#10563527)
    (http://hartsock.blogspot.com/ | Last Journal: Wednesday November 21, @10:48AM)
    The same person tells us [asp.net] that Apache [secunia.com] sucks when compared [asp.net] with IIS [secunia.com]. Does this mean we've all been wrong about Microsoft products? If we take Microsofts word for it we have indeed and should seriously consider switching back to IIS. After all, [THE FOLLOWING IS SARCASM:] this conclusively proves that IIS is far superior to the Linux Apache Mysql Perl/Python/Php system.
  • Re:Reality Distortion Fields ON! by Anonymous Coward (Score:2) Tuesday October 19 2004, @09:38AM
  • Re:Reality Distortion Fields ON! by spectecjr (Score:2) Wednesday October 20 2004, @06:37PM
  • 1 reply beneath your current threshold.
  • Well, I found one ... by digitalgimpus (Score:2) Tuesday October 19 2004, @06:47AM
  • The Reason why IE is still the most used browser by dJOEK (Score:2) Tuesday October 19 2004, @06:47AM
  • MSIE was through this already. by Vo0k (Score:2) Tuesday October 19 2004, @06:47AM
  • To crash or not to crash by MadFarmAnimalz (Score:2) Tuesday October 19 2004, @06:47AM
  • few bugs or many bugs? by mr_walrus (Score:1) Tuesday October 19 2004, @06:49AM
  • Ahh... by Atrophis (Score:1) Tuesday October 19 2004, @06:49AM

  • strategic point of view (Score:5, Interesting)

    by ragnar (3268) on Tuesday October 19 2004, @06:50AM (#10563554)
    (http://www.solariscentral.org/)
    I may be a little paranoid (heck, I actually am) but I've long suspected the IE support for loose HTML was a strategic decision. Go back to the days when Netscape would render a page with a unclosed table tag as blank. IE rendered the page, and I often encountered sites that didn't work on Netscape.

    It could be a coincidence, but the loose HTML support of IE led to a situation where some webmasters conclude that Netscape had poor HTML support. You can argue about standards all day long, but if one browser renders and another crashes or comes up blank there isn't much of a contest.
  • uhm... by embeejay (Score:1) Tuesday October 19 2004, @06:51AM
  • Here's the bad code by Araneas (Score:2) Tuesday October 19 2004, @06:52AM
  • A clue about the browser development process? by constantnormal (Score:2) Tuesday October 19 2004, @06:54AM
  • The difference between IE & Firefox by t_allardyce (Score:2) Tuesday October 19 2004, @06:56AM
  • end-table tags... by orion41us (Score:1) Tuesday October 19 2004, @06:57AM

  • His examples do not really crash Firefox (Score:5, Interesting)

    by SmilingBoy (686281) on Tuesday October 19 2004, @06:57AM (#10563611)
    The author gave some examples that are supposed to crash Mozilla, Opera, Links and Lynx at the following URL:

    http://lcamtuf.coredump.cx/mangleme/gallery/ [coredump.cx]

    I opened all the pages in tabs in Firefox 0.10.1 under Windows 2000, and Firefox did not crash. It became somewhat unresponsive, but I could still select other tabs, minimise and maximise. I could not load new pages anymore.

    Can someone else test this as well, please?

    And can someone tell us whether this has security implications or not?

  • Standard Testing by BenjyD (Score:2) Tuesday October 19 2004, @06:58AM
  • I _love_ his conclusions by Ender Ryan (Score:2) Tuesday October 19 2004, @07:00AM
  • hmm... by neko9 (Score:1) Tuesday October 19 2004, @07:00AM

  • Who's Who (Score:5, Informative)

    by Effugas (2378) * on Tuesday October 19 2004, @07:00AM (#10563626)
    (http://www.doxpara.com/)
    Ugh. Not the best written Slashdot entry.

    Larry Osterman -- former Microsoft guy; someone forwarded him a post to Bugtraq.

    Michael Zalewski -- absurdly brilliant [coredump.cx] security engineer out of Poland. Did the pioneering work on visualizing [wox.org] randomness [coredump.cx] of network stacks, passively identifying operating systems [coredump.cx] on networks, and way way more.

    Nothing bad against Larry. But this is all Zalewski :-)

    --Dan
    • Re:Who's Who by spectecjr (Score:2) Thursday October 21 2004, @01:56AM
    • 1 reply beneath your current threshold.
  • generated html by noselasd (Score:2) Tuesday October 19 2004, @07:01AM

  • IE Crashes On Valid HTML! (Score:5, Informative)

    by Diplo (713399) on Tuesday October 19 2004, @07:01AM (#10563636)
    (http://www.diplo.co.uk/)

    Nevermind using random garbage to crash a browser, you can make IE6 crash with perfectly valid strict HTML.

    Try this page [nildram.co.uk] in IE6 and then hover your pointer over the link. Crash!!!

  • results of testing mozilla on linux- NO CRASHES by evil_one666 (Score:2) Tuesday October 19 2004, @07:02AM

  • There is actually some truth to the matter (Score:5, Insightful)

    by grinder (825) on Tuesday October 19 2004, @07:02AM (#10563645)
    (http://grinder.perlmonk.org/)

    Case in point.

    Last week I wrote some Perl to process an mbox mail folder. I just wanted a quick and dirty way to view its contents in a web page. A couple of CPAN modules and a few dozen lines of code and thing was done. Then I started to get fancy and dealing with stuff like embedded MIME-encoded GIF images. This was pretty simple to do, but I made a mistake. Once I had the decoded GIF data lying around, I wrote it to the HTML file of the current e-mail message, rather than writing it to a seperate file and writting <img src="foo.gif"> in the HTML file.

    I was viewing the results with Firefox 0.10.1. When it got to a message with an embedded GIF, with a big slodge of GIF binary data sitting in the middle of the page, Firefox either just sat there spinning its hourglass, or crashed and burned.

    Then I looked at the same file with IE, and the GIF image showed up. I was puzzled for a while until I noticed that in the directory where I had created the file, no GIF files had been created. It is of course arguable that IE should not have attempted to render the GIF image from the binary data sitting in the middle of the page, but it did so without complaint. Not rendering it would also be acceptable.

    Firefox, on the other hand, has a number of better alternatives to crashing or hanging. Should it display gibberish (like when you forget to set up your bz2 association correctly) or nothing, or the image? I don't know, and don't particularly care about which course of action is taken. Anything is better than crashing, especially when IE doesn't.

    Anyway, I fixed the Perl code, and all is well.

    The End

  • No problems on Firefox 0.10.1 by bbuR_bbuB (Score:2) Tuesday October 19 2004, @07:05AM

  • Not a Security Issue, but a conceptual concern (Score:3, Insightful)

    by fwitness (195565) on Tuesday October 19 2004, @07:05AM (#10563662)
    While it's great that IE can handle 'bad' web code, it really is a seperate issue from security. Now, when the other browsers actually *crash*, this is a concern. Yes crashes *can* be used to determine an exploit, but that doesn't mean they *do*.

    To beat the dead horse of the car analogy, if my car doesn't start, it may be the entire electrical system, or maybe my battery is just dead. The moral is don't try to make a mountain out of a mole hill.

    Meanwhile, I absolutely despise the fact that IE does handle a lot of 'bad' code. This is a side effect of the IE monopoly on the browsing world. We're not talking about it handling variables that arent declared before they are used or sumsuch. We're talking about code which *should* be causing errors. Since they don't cause errors most of the time (or are hidden from the user) and most web authors only test with IE, there is a massive amount of bad code on the net which is never fixed.

    Now I'm glad that the author has found these crashing bugs in the other browsers. This obviously needs fixing, and I'm glad IE is at least stable when it encounters malformed code, but more error reporting needs to be done to the user on all browsers.

    Summary:Good review, brings up great points, kudo's to MS for stability. Now everyone go back to work on your browsers and add blatant *THIS WEBSITE AUTHOR DOES NOT WRITE PROPER CODE* dialogs to all your error messages. It's the web author's fault, it's time we told them so.
  • doh? by realkiwi (Score:1) Tuesday October 19 2004, @07:10AM
    • Re:doh? by iapetus (Score:2) Tuesday October 19 2004, @08:00AM
  • In other news.. by rjshields (Score:1) Tuesday October 19 2004, @07:12AM
  • Great Tool! by EMN13 (Score:2) Tuesday October 19 2004, @07:13AM
  • useful by zecg (Score:1) Tuesday October 19 2004, @07:15AM
  • That's odd... by jridley (Score:2) Tuesday October 19 2004, @07:19AM
  • Safari holds up OK by goynang (Score:1) Tuesday October 19 2004, @07:22AM
  • do the same with windows itself... by loconet (Score:2) Tuesday October 19 2004, @07:24AM

  • handling malformed data is a pretty bad idea ... (Score:5, Insightful)

    by cascadingstylesheet (140919) on Tuesday October 19 2004, @07:25AM (#10563767)

    ... and here's why.

    With correct data (in this case, HTML), there is a specified action that is "correct". In other words, a correctly marked up table will get layed out, according to the W3C rules for laying out tables. A paragraph will get formatted as a a paragraph, etc.

    With malformed markup, the "correct" thing to do is indeterminate. If every browser just takes its best guess, they will all diverge, and the behavior is wildly unpredictable. Even from version to version of the same browser, the "best guess" will change.

    "So? You've just described the web!" Well, exactly, but it could have been avoided. Bad markup shouldn't render. It ain't rocket science to do (or generate, though that can be a harder problem) correct markup. If you had do it to get your pages viewed, you would. Ultimately, it wouldn't cost anymore, and would actually cost less (measure twice, cut once).

    Of course, what I just wrote only really applies in a heterogenous environment ... which MS doesn't want ... fault tolerance in your own little fiefdom can make sense.

  • Bug 265027 by Val314 (Score:2) Tuesday October 19 2004, @07:25AM
  • Bugzilla by Plutor (Score:2) Tuesday October 19 2004, @07:29AM
    • Re:Bugzilla by rjw57 (Score:2) Tuesday October 19 2004, @08:22AM
      • Re:Bugzilla by Plutor (Score:1) Tuesday October 19 2004, @08:46AM

  • maybe its a fluke.. (Score:3, Interesting)

    by Anonymous Coward on Tuesday October 19 2004, @07:31AM (#10563809)
    I tried this script on both Mozilla firefox at least 40 X now, and it hasn't crashed yet...

    You'll also notice none of this random code tests activex security either, or many of the MS extensions which "enchance" security either.. So I think the tests should be taken more with a grain of salt.. Also while he did say null dereferences, its potentially due to all the same 1 or two flaws, and may not be exploitable at all..

    Take this with a grain of salt I'd say, because when you check the tags being tested, there aren't a great amount..
  • Borrring... by PhraudulentOne (Score:1) Tuesday October 19 2004, @07:34AM
    • Re:Borrring... by Blitzenn (Score:1) Tuesday October 19 2004, @08:10AM
      • Re:Borrring... by PhraudulentOne (Score:1) Thursday October 28 2004, @07:19AM
  • Compiler and Memory Manager? by Domini (Score:2) Tuesday October 19 2004, @07:40AM
  • Not just IE by Chanc_Gorkon (Score:1) Tuesday October 19 2004, @07:42AM
  • w3c validator by El_Muerte_TDS (Score:1) Tuesday October 19 2004, @07:44AM

  • Poll: WHO has experienced crashes? (Score:3, Informative)

    by koi88 (640490) on Tuesday October 19 2004, @07:46AM (#10563920)
    From many posts here I get the idea that most people didn't have the crashes the author had...
    So can those people who have tested his code write
    • used browser and version number
    • OS (exact)
    • result

    PS: I'm here at work on Mac OS 9 and all browsers are pretty old, so I don't write anything...
  • Makefile by kasperd (Score:2) Tuesday October 19 2004, @07:50AM
  • IE problems by fionbio (Score:1) Tuesday October 19 2004, @07:52AM

  • Dumb developer question (Score:5, Interesting)

    by Halo- (175936) on Tuesday October 19 2004, @07:56AM (#10563991)
    Wow, what a great test tool! I do software dev for a living, and the hardest part is when a user says: "umm, I did something, and it crashed... I dunno what..." and then you can't reproduce the problem. The problem exists, but due to the complexity of software, its environment, and the subtleties between the way individuals use it, it's hard to reduce the problem down to a few variables...

    A tool like this would let the average wanna be contributer find a reproducable bugs and try to fix them. Which brings me to my dumb question: Is the Mozilla gecko engine more easily built/tested than the whole of Firefox? I love FF, and wouldn't mind throwing some cycles at improving it, but the entire build process is a bit more than I really want to take on... If I could just build and unit-test the failing component I'd be more likely to try.

    Anyone have pointers beyond the hacking section at MozillaZine?

  • DoS vs Security hole, vs just bad code by qray (Score:1) Tuesday October 19 2004, @07:58AM
  • I tried his "live" POC... by miketang16 (Score:2) Tuesday October 19 2004, @08:03AM
  • and IE Breaks on Shiny Code by Meostro (Score:1) Tuesday October 19 2004, @08:16AM
  • Basic question by seguso (Score:1) Tuesday October 19 2004, @08:20AM
  • OSX Safari A.O.K by Uncertain Bohr (Score:1) Tuesday October 19 2004, @08:22AM
  • Ok, did he file a bug report? by Stonent1 (Score:2) Tuesday October 19 2004, @08:23AM
  • What are we saying here? by The1Genius (Score:1) Tuesday October 19 2004, @08:29AM
  • IE couldn't have been written in .NET... by generalpf (Score:1) Tuesday October 19 2004, @08:30AM
  • His examples don't work (crash browser) by Gilmoure (Score:2) Tuesday October 19 2004, @08:34AM
  • that's easy by nazokoneko (Score:2) Tuesday October 19 2004, @08:35AM
  • GNU/Linux by Hugonz (Score:2) Tuesday October 19 2004, @08:44AM
  • Is it just me... by HerculesMO (Score:2) Tuesday October 19 2004, @08:46AM
  • Instant IE Crash by RichM (Score:1) Tuesday October 19 2004, @09:10AM
  • Convenience trumps security again by scruffy (Score:2) Tuesday October 19 2004, @09:12AM
  • (mal)form follows (mal) function by tz (Score:2) Tuesday October 19 2004, @09:16AM

  • OSS does not automatically mean secure (Score:5, Informative)

    by TheLink (130905) on Tuesday October 19 2004, @09:17AM (#10564679)
    (Last Journal: Saturday January 06 2007, @01:13AM)
    Netscape used to crash very often. Looks like the Mozilla people didn't learn much from it.

    Mozilla is just as sucky security-wise as the old non-mozilla Netscape (3.x 4.x). Whether it is OSS or not doesn't make it secure/insecure, it's the programmers that count. Look at Sendmail and Bind (and many other ISC software), security problems year after year for many years. Look at PHPNuke - security problems month after month for years. Look at OpenSSL and OpenSSH and Apache 2.x - not very good track records. Compare with Postfix and qmail, djbdns.

    Most programmers should stick to writing their programs in languages where the equivalent of "spelling and grammar" errors don't cause execution of arbitrary attacker-code. Sure after a while some writers learn how to spell and their grammar improves but it sometimes takes years. For security you need _perfection_ in critical areas, and you need to be able to identify and isolate the critical areas _perfectly_ in your architecture.

    To the ignorant people who don't get it. Crashing is bad. A crash occurs when the (browser) process write/read data from areas where it shouldn't be touching, or tries to execute code where it shouldn't be executing. This often occurs when the process somehow mistakenly executes _data_ supplied by the attacker/bug finder, or returns to addresses supplied by the attacker...

    This sort of thing is what allows people to take over your browser, and screw up your data (and possibly take over your computer if you run the browser using an account with too many privileges).

    So while the FireFox people get their code up to scratch maybe people should reconsider IE - IE isn't so dangerous when configured correctly. Unfortunately it's not that simple to do that.

    To make even unpatched IE browsers invulnerable to 95% of the IE problems just turn off Active Scripting and ActiveX for all zones except very trusted zones which will never have malicious data. Since I don't trust Microsoft's trusted zone (XP has *.microsoft.com as trusted even though it doesn't show up in the menus), I create a custom zone and make that MY trusted zone.

    By all zones I mean you must turn those stuff off for the My Computer zone as well - but that screws up Windows Explorer in the default view mode (which is unsafe anyway).

    For more info read this: <a href="http://support.microsoft.com/default.aspx?kb id=182569">Description of Internet Explorer security zones registry entries</a>

    To make the My Computer zone visible change:
    (for computer wide policy)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win dows\Curr entVersion\Internet Settings\Zones\0\Flags

    To: 0x00000001

    (for just a particular user)
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Window s\Curre ntVersion\Internet Settings\Zones\0\Flags

    To: 0x00000001

    If you don't want to edit the registry and make the My Computer zone visible, you can still control the My Computer Zone settings from the group policy editor (gpedit.msc) or the active directory policy editor.

    You just have to know some Microsoft stuff. But hey, securing an OSS O/S and _keeping_ it secure (esp when u need to run lots of 3rd party software) also requires some in-depth knowledge.
  • The 'Program Crash = Security Hole' doesn't follow by c.ecker (Score:1) Tuesday October 19 2004, @09:26AM
  • Uhhh, private warez? by topace (Score:1) Tuesday October 19 2004, @09:27AM
  • *whew* by Theatetus (Score:2) Tuesday October 19 2004, @09:27AM
  • Why wasn't this tested? by Anonymous Coward (Score:1) Tuesday October 19 2004, @09:36AM
  • Anyone switching to IE now here? by robotoil (Score:1) Tuesday October 19 2004, @09:40AM

  • this could be bad (Score:3, Insightful)

    by An ominous Cow art (320322) * on Tuesday October 19 2004, @09:54AM (#10565102)
    I think a lot of people are missing the point here. I don't have time to personally verify whether the author's claims are correct; let's assume they are. The type of errors he saw are potentially the type that could be exploited via the tried-and-true buffer overflow method. This is the kind of thing that leads to "execution of arbitrary code", in other words, 0wnage. If Bad Guys craft a apecial web page, they could target those of us who use these non-IE browsers.

    In other words, the people who have been defending IE (and Microsoft in general) by saying "your Mozillas and Operas have been safe from security problems only because nobody uses them" will not only have a field day, but now the clock is ticking. There's proof that there are promising means of attack against these browsers. Someone is surely going to research this. I really hope the good guys developing these browsers rise to the challenge and tighten up the code before we (the people who have been recommending them for years) start losing credibility. I'm inspired to look into helping them out.

    Sorry if this seems incoherent, I keep getting interrupted as I type this. Stupid work...
  • This is why we need CHROOT browsers by freelunch (Score:2) Tuesday October 19 2004, @10:00AM
  • Fault tolerance by base_chakra (Score:2) Tuesday October 19 2004, @10:02AM
  • Umh... by vidarlo (Score:1) Tuesday October 19 2004, @10:20AM
  • Testing by random input is not new... by cayle clark (Score:1) Tuesday October 19 2004, @10:40AM
  • I hate propoganda by coshx (Score:1) Tuesday October 19 2004, @10:46AM

  • I love random input (Score:3, Interesting)

    by John Jorsett (171560) on Tuesday October 19 2004, @10:51AM (#10565896)
    I did much the same to test a user interface written by another programmer on a project we were assigned to. The interface wasn't a gui, it was a pure ASCII type, so I wrote a random character generator and threw the output at her interface for days at a time. Crash. Crash. Crash. It was wonderful. I don't know that it found every flaw, but I'll bet no one ever killed her interface by leaning on the keyboard (as actually happened on an earlier project I'd heard about).

  • IE Good for Clients, Bad for Developers (Score:3, Insightful)

    by Anonymous Coward on Tuesday October 19 2004, @10:53AM (#10565924)
    I ran into similar issues with IE ignoring stuff and Mozilla catching it a few years ago when I was developing one of my first web applications with servlets. Mozilla was a great browser for testing my web apps during development. I remember I had a bug in my code that was supposed to populate a dropdown with options from a database but instead choked somewhere in the model layer and populated it with a bunch of breakspaces. Mozilla would show me the space characters in the dropdown where IE simply ignored them and pretended like the dropdown was empty.

    It's a real pain in the neck for IE to not try to show what's actually there because when I first looked at the page in IE I assumed that I just wasn't getting what I wanted from the database since my dropdown was empty. In reality it wasn't empty, IE just didn't want to show me 1000 breakspaces as an option in my dropdown which is bad from a developer's standpoint. However, masking and hiding bad code and data is something that I absolutely want a browser to do when the application is out in production being used by my clients.

    The bottom line is you should always develop your web applications with a browser like Mozilla that is going to catch your mistakes but once your application is out the door it's better for clients to be using a broswer that will hide any mistakes you didn't catch!
  • First impression == cool by sloth jr (Score:2) Tuesday October 19 2004, @10:56AM
  • You should all be using the standard Web Browser. by Anonymous Coward (Score:1) Tuesday October 19 2004, @11:05AM
  • Smackdown by d_jedi (Score:2) Tuesday October 19 2004, @11:18AM
  • This is why I still use IE by SnprBoB86 (Score:2) Tuesday October 19 2004, @11:19AM

  • Did IE really not crash? (Score:4, Interesting)

    by divad27182 (823483) on Tuesday October 19 2004, @11:24AM (#10566321)
    I have to ask:

    When saying that Microsoft Internet Explorer didn't crash, does he mean that the window never went away, or that the program iexplore.exe stayed running? I can't prove it, but I suspect that the "IE" window would survive a crash of the rendering engine, because the window is actually provided by explorer.exe, which is the desktop manager.

    I also suspect that several of the open source browsers could defend themselves against this kind of crash within a day or two, simply be using a two process model. Personally, I would rather they did not! (I want to see it fail, otherwise I would not know something was wrong.)
  • Another way of looking at it.... by toolz (Score:2) Tuesday October 19 2004, @11:32AM
  • OK - now lets see how long it takes to get fixed! by strags (Score:2) Tuesday October 19 2004, @11:45AM
  • that explains it by kumar303 (Score:1) Tuesday October 19 2004, @12:41PM
  • Let firefox crush... leave jpeg's to MSiE by deamonius (Score:1) Tuesday October 19 2004, @01:00PM

  • Meanwhile... (Score:3, Interesting)

    by tsarin (217882) on Tuesday October 19 2004, @01:28PM (#10567645)

    100% valid CSS and XHTML continues [tudelft.nl] to crash IE.
  • What they forgot to mention... by lone_knight (Score:1) Tuesday October 19 2004, @02:02PM
  • In other news by Raunch (Score:1) Tuesday October 19 2004, @02:24PM

  • Lynx gallery example (Score:3, Interesting)

    by lahvak (69490) on Tuesday October 19 2004, @02:50PM (#10568569)
    (Last Journal: Thursday February 17 2005, @12:11PM)
    Tried the gallery examples, firefox crashes reliebly, links does too (from the error messages it looks like they actually catch the NULL pointer - it says "malloc returned NULL pointer" - but don't react to it)

    However, I was not able to crash lynx with the example. It takes a while to render the page, but it renders it just fine (considering it is actually invalid HTML). Perhaps it depends on the amount of memory you have.

    If I remember correctly, while ago there were rumors being circulated that IE is specifically designed to deal well with invalid HTML. Lot of people were of the oppinion that it is really bad, and that invalid HTML code should be rejected. Thay said IE basically encouraged sloppy web design.
  • IE has its flaws by the_womble (Score:2) Tuesday October 19 2004, @02:59PM
  • I use Safari, but I hate it by grikdog (Score:1) Tuesday October 19 2004, @03:15PM
  • tried the cgi link by lahvak (Score:1) Tuesday October 19 2004, @04:38PM
  • wow by jmank88 (Score:1) Tuesday October 19 2004, @05:36PM
  • Another test this guy could do. by cjellibebi (Score:2) Tuesday October 19 2004, @05:49PM
  • If something like this breaks the browser... by rush22 (Score:1) Tuesday October 19 2004, @07:21PM
  • Hey, at least... by inode_buddha (Score:1) Tuesday October 19 2004, @07:31PM
  • Safari survives, Camino does not by mistermoonlight (Score:1) Tuesday October 19 2004, @08:17PM
  • That's great but... by Game Genie (Score:1) Tuesday October 19 2004, @11:24PM
  • Reflects badly on ALL sides by TiggsPanther (Score:2) Wednesday October 20 2004, @08:45AM
  • better the browser crash than allow exploits by konmaskisin (Score:2) Thursday October 21 2004, @01:08PM
  • Re:so? by Dante Shamest (Score:1) Tuesday October 19 2004, @06:33AM

  • Re:This is known (Score:5, Insightful)

    by Mr_Silver (213637) on Tuesday October 19 2004, @06:38AM (#10563472)
    It's quite known that broken code runs quite well on IE.

    Great, but then it also encourages people to write bad code - see all that code with broken tables and a million tags that remain unclosed?

    You're confusing two seperate things here:

    1. Broken HTML which doesn't render properly.
    2. Broken HTML that causes corruptions, crashes and the potential for security issues.

    This guy has been testing for (2) and not (1). Bad HTML should never cause crashes, memory corruption and buffer overflows. Period.

    Finally, you can't go blaming the users for bad input. One of the golden rules of software design is that all software should either reject or handle gracefully bad input. Crashing is not graceful.

    [ Parent ]
  • Re:This is known by metlin (Score:2) Tuesday October 19 2004, @06:39AM
  • Re:so? by Lazy T (Score:1) Tuesday October 19 2004, @06:40AM
    • Re:so? by XO (Score:2) Tuesday October 19 2004, @07:42AM
      • 1 reply beneath your current threshold.

  • Re:Conspiracy Theory time... (Score:4, Informative)

    by Ann Elk (668880) on Tuesday October 19 2004, @06:41AM (#10563497)

    RTFA. Larry didn't find the broken HTML, he just referenced an article [securityfocus.com] which did.

    [ Parent ]
  • You don't get it by Interfacer (Score:2) Tuesday October 19 2004, @06:44AM

  • Re:What about VALID html? (Score:5, Informative)

    by tomstdenis (446163) <tomstdenis@g m a i l .com> on Tuesday October 19 2004, @06:45AM (#10563520)
    (http://libtom.org/)
    This isn' insightful at all. First, you'll be the first person to bitch when a mozilla virus comes out.

    Second, "crashing when invalid" as you and many others are alluding to is NOT a good idea. What if you had another tab open with email/urls/info you needed?

    What if other software took this route? Invalid operands to open()? Time to crash. Invalid socket used in send()? Time to crash. Segfault in application? Kill the kernel processes!

    It's a problem, it has to be fixed and there aren't two ways about it.

    Tom
    [ Parent ]
    • 1 reply beneath your current threshold.

  • Re:so? (Score:5, Interesting)

    by Maestro4k (707634) on Tuesday October 19 2004, @07:02AM (#10563640)
    (Last Journal: Thursday January 13 2005, @12:25PM)
    • So what? I have never had a problem with my Firefox crashing (ever). Sure, if you try to make something crash, it eventually will. Considering how much security holes IE has, IE could be the missing link, and I still wouldnt use it.
    Just because you haven't crashed it doesn't mean it's not happening. I switched my Mom over to Firefox for her computer's safety about 2 months back. She's still using it, but it crashes for her regularly and it's becoming a big frustration for her. As she put it "why does Firefox crash so much, IE never crashed on me?" If Mozilla/Firefox/Opera/etc. hope to continue gaining ground on IE, then this type of thing needs to be addressed.

    As I see it the major problem that Mozilla/Firefox has is the vast majority of those using it (and most definitely the vast majority bothering to report bugs/crashes) are techies. Why is that a problem? Well we probably don't spend our time to going to "silly" E-card sites and joke sites that use bad flash/html. Sure we can dismiss those sites as not important, because to us they aren't, but to a large portion of the average users out there they're one of the most important things they do in a browser because to them they're fun.

    So I'm betting Mozilla/Firefox actually crashes regularly on non-techies simply because they visit sites that most techies don't bother to test the browser on.

    [ Parent ]
    • Re:so? by Christianfreak (Score:2) Tuesday October 19 2004, @08:07AM
    • Plugins by phorm (Score:3) Tuesday October 19 2004, @10:28AM
    • 2 replies beneath your current threshold.
  • Re:Is this for real? by Anonymous Coward (Score:1) Tuesday October 19 2004, @07:07AM

  • Test your code at http://validator.w3.org/ (Score:3, Informative)

    by millahtime (710421) on Tuesday October 19 2004, @07:09AM (#10563681)
    (http://millahtime.blogspot.com/ | Last Journal: Friday July 15 2005, @01:00PM)
    Test if your code is good or not at http://validator.w3.org/ [w3.org]
    [ Parent ]
  • Re:This is known by root2 (Score:1) Tuesday October 19 2004, @07:24AM
  • Re:How did this article get passed? by BenjyD (Score:1) Tuesday October 19 2004, @07:34AM
  • Re:so? by sosegumu (Score:1) Tuesday October 19 2004, @08:33AM
  • Re:Tip of the iceberg by c.ecker (Score:1) Tuesday October 19 2004, @04:33PM
  • 49 replies beneath your current threshold.
  • (1) | 2

    All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.