Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

"Microsoft Internet Explorer is affected by a denial-of-service
vulnerability. This issue arises because the application fails to handle
exceptional conditions in a proper manner.

An attacker may exploit this issue by enticing a user to visit a malicious
site, resulting in a denial-of-service condition in the application.

This issue results in a NULL-pointer dereference, causing the application to
crash. If attackers can manipulate the pointer being dereferenced, code
execution may be possible. Note that this has not been confirmed.

Since exploiting this issue requires only standard HTML, it may not be
easily mitigated.

Internet Explorer 6 is vulnerable to this issue; other versions may also be
affected."

http://www.securityfocus.com/bid/18112

Imhotep

Imhotep

"Imhotep" <> wrote in message
news...

> Since exploiting this issue requires only standard HTML, it may not be
> easily mitigated.

Just restart IE. Worst case scenario, you just reboot.

Karl Levinson

Karl Levinson wrote:

>
> "Imhotep" <> wrote in message
> news...
>
>> Since exploiting this issue requires only standard HTML, it may not be
>> easily mitigated.
>
> Just restart IE. Worst case scenario, you just reboot.


....best way to midagate a Denial of Service code flaw is to fix the code
that allows it! Not reboot, over and over and over again! Enough with
"Microsoft catch all solution to problems"...this too was invented by
Microsoft...

Imhotep

Imhotep

>> "Imhotep" <> wrote in message
>> news...

>> Just restart IE. Worst case scenario, you just reboot.
>
>
> ...best way to midagate a Denial of Service code flaw is to fix the code
> that allows it! Not reboot, over and over and over again! Enough with
> "Microsoft catch all solution to problems"...this too was invented by
> Microsoft...

Actually, the author of the mangleme malformed HTML fuzzer tool found that
IE 6 coded in 2000 was far far better coded to be far more resistant to this
kind of attack than every other browser out there bar none, including
Firefox coded in 2004. While IE 6 has had some serious security problems in
the past, locking up or executing arbitrary code due to malformed HTML is
not generally one of those problem areas.

Having said that, every browser on the planet is vulnerable to denial of
service and lockups requiring some sort of restart from properly formed HTML
trickery. And every OS on the planet requires restarting a service, process
or application of some sort to fix various problems, although some of the
newer ones allow restarting various components without a total reboot better
than current Windows does.

Karl Levinson

Karl Levinson wrote:

>>> Just restart IE. Worst case scenario, you just reboot.
>>
>> ...best way to midagate a Denial of Service code flaw is to fix the code
>> that allows it! Not reboot, over and over and over again! Enough with
>> "Microsoft catch all solution to problems"...this too was invented by
>> Microsoft...
>
> Actually, the author of the mangleme malformed HTML fuzzer tool found that
> IE 6 coded in 2000 was far far better coded to be far more resistant to this
> kind of attack than every other browser out there bar none, including
> Firefox coded in 2004.

And later refined this statement when he found some more DoS problems in
IE and once more when he implemented CSS content as well, making IE the
worst of all browsers.

> While IE 6 has had some serious security problems in
> the past, locking up or executing arbitrary code due to malformed HTML is
> not generally one of those problem areas.

Have you been sleeping the last months? Did you even take a look at
unpatched vulnerabilities? Certainly code execution through malformed
HTML is one of MSIE's biggest problems.

> Having said that, every browser on the planet is vulnerable to denial of
> service and lockups requiring some sort of restart from properly formed HTML
> trickery.

Huh? So you suggest you've found a general DoS condition that applies to
currently fully fixed webbrowsers? Details please. I only know about
HTTP 1.1 Deflate encoding decompression bombs, and whereas Windows'
preference of IE takes down the entire system with endless swapping, any
real webbrowsers just swaps a lot and then recovers to normal operation,
can also be killed to stop the swapping right-out.

> And every OS on the planet requires restarting a service, process
> or application of some sort to fix various problems, although some of the
> newer ones allow restarting various components without a total reboot better
> than current Windows does.

Fine, but what if you can't create the problems by malicious intent?

BTW, the microsoft.public.internetexplorer.security is a joke, isn't it?

Sebastian Gottschalk

Karl Levinson wrote:

>
>>> "Imhotep" <> wrote in message
>>> news...
>
>>> Just restart IE. Worst case scenario, you just reboot.
>>
>>
>> ...best way to midagate a Denial of Service code flaw is to fix the code
>> that allows it! Not reboot, over and over and over again! Enough with
>> "Microsoft catch all solution to problems"...this too was invented by
>> Microsoft...
>
> Actually, the author of the mangleme malformed HTML fuzzer tool found that
> IE 6 coded in 2000 was far far better coded to be far more resistant to
> this kind of attack than every other browser out there bar none, including
> Firefox coded in 2004. While IE 6 has had some serious security problems
> in the past, locking up or executing arbitrary code due to malformed HTML
> is not generally one of those problem areas.

First this thread has nothing to do with IE or Firefox? What exactly is your
point here? Second, maybe, just maybe, IE was secure in regards to
maleformed HTML but it has a horrible track record every where else, BAR
NONE.

> Having said that, every browser on the planet is vulnerable to denial of
> service and lockups requiring some sort of restart from properly formed
> HTML
> trickery. And every OS on the planet requires restarting a service,
> process or application of some sort to fix various problems, although some
> of the newer ones allow restarting various components without a total
> reboot better than current Windows does.


Restart "X" has become the catch all solution to Windows problem solving and
yes, it was "invented by Windows" as this behavior was not tolerated prior.
Second, replying to someone saying:

"Just restart IE. Worst case scenario, you just reboot."

is just downright pathetic. How about a new concept? How about they fix the
code? Remember not 6 months ago there was yet another vulnerability in IE
that was listed as low critical "just a DOS" vulnerability? Turned out that
vulnerability turned into a buffer overflow (and required a
reclassification as Highly critical). Haven't you guys learned anything?
How about demanding software quality and timely patches? How many time do
you guys have to relive the same problems before something clicks?

Imhotep

Imhotep

Imhotep wrote:

> Restart "X" has become the catch all solution to Windows problem
> solving and yes, it was "invented by Windows" as this behavior was
> not tolerated prior. Second, replying to someone saying:

Eh, no. Even on Unix they concluded "yes, we could carefully
deinitialize and restart this specific services with dependencies, but
it would be too complicated to implement, so we better restart the whole
system."

For Windows, it's just that there are more scenarios requiring a reboot.

> "Just restart IE. Worst case scenario, you just reboot."
>
> is just downright pathetic. How about a new concept? How about they
> fix the code? Remember not 6 months ago there was yet another
> vulnerability in IE that was listed as low critical "just a DOS"
> vulnerability?

I'm remembering a similar case that is still unfixed since October 2002.

> Turned out that vulnerability turned into a buffer overflow (and
> required a reclassification as Highly critical).

The subtype was a boundary error (i.e. a buffer overflow due to an array
being filled by multiple threads without properly synchronizing the
index counter) which, if not exact conditions are held, typically only
results in a null pointer dereference. As Microsoft requires to exactly
reproduce the problem, they're too stupid to understand where the real
problem is.

> How about demanding software quality and timely patches?

Dunno, but from what Guninski and Lie Di Yu concluded about some serious
design bugs IE was never designed/intended to be used in a untrusted
network (like the internet).

> How many time do you guys have to relive the same problems before
> something clicks?

Until it's explicitly written into a (online) manual about IE? I guess
not even then.

Sebastian Gottschalk

"Imhotep" <> wrote in message
news:XNidnS9ZorqQQ-...

> First this thread has nothing to do with IE or Firefox?

You started this thread, so you know it's about IE, including the subject
line.

> "Just restart IE. Worst case scenario, you just reboot."
>
> is just downright pathetic.

For a browser lock up, I find it quite acceptable, as would most people.

> How about a new concept? How about they fix the
> code?

Who said they aren't? I'm certain they are. Now, if you feel it's not fast
enough for you, then you should probably switch to Linux and leave us in
peace. Why are you still using Windows again?

> Remember not 6 months ago there was yet another vulnerability in IE
> that was listed as low critical "just a DOS" vulnerability? Turned out
> that
> vulnerability turned into a buffer overflow (and required a
> reclassification as Highly critical).

That's pretty common when it comes to vulns and is not specific to
Microsoft. First a DoS is found, then a code execution is found.

> Haven't you guys learned anything?
> How about demanding software quality and timely patches?

Who said I don't? You clearly know nothing of my relationship with
Microsoft, but you're happy to assume I'm a Microsoft cheerleader on every
subject, despite my having provided proof to the contrary to you repeatedly
in the past. You're only happy if I tell you, "you're right on everything
you say."

Karl Levinson

Sebastian Gottschalk wrote:

> Imhotep wrote:
>
>> Restart "X" has become the catch all solution to Windows problem
>> solving and yes, it was "invented by Windows" as this behavior was
>> not tolerated prior. Second, replying to someone saying:
>
> Eh, no. Even on Unix they concluded "yes, we could carefully
> deinitialize and restart this specific services with dependencies, but
> it would be too complicated to implement, so we better restart the whole
> system."

I stop/start/restart services every day as we are a UNIX shop. I almost
NEVER have to reboot (except when upgrading the OS)...


> For Windows, it's just that there are more scenarios requiring a reboot.


Just about everything require a reboot in windows...

>> "Just restart IE. Worst case scenario, you just reboot."
>>
>> is just downright pathetic. How about a new concept? How about they
>> fix the code? Remember not 6 months ago there was yet another
>> vulnerability in IE that was listed as low critical "just a DOS"
>> vulnerability?
>
> I'm remembering a similar case that is still unfixed since October 2002.
>
>> Turned out that vulnerability turned into a buffer overflow (and
>> required a reclassification as Highly critical).
>
> The subtype was a boundary error (i.e. a buffer overflow due to an array
> being filled by multiple threads without properly synchronizing the
> index counter) which, if not exact conditions are held, typically only
> results in a null pointer dereference. As Microsoft requires to exactly
> reproduce the problem, they're too stupid to understand where the real
> problem is.

That is very typical....

>> How about demanding software quality and timely patches?
>
> Dunno, but from what Guninski and Lie Di Yu concluded about some serious
> design bugs IE was never designed/intended to be used in a untrusted
> network (like the internet).

I believe it.

>> How many time do you guys have to relive the same problems before
>> something clicks?
>
> Until it's explicitly written into a (online) manual about IE? I guess
> not even then.

hahahaha...

Imhotep

Karl Levinson wrote:

>
> "Imhotep" <> wrote in message
> news:XNidnS9ZorqQQ-...
>
>> First this thread has nothing to do with IE or Firefox?
>
> You started this thread, so you know it's about IE, including the subject
> line.

type-o: replace "IE or Firefox" with "IE *vs* Firefox"...

And again my statement stands. This thread is NOT about IE vs Firefox vs
whatever so stop the feeble attempt to make it that...

>> "Just restart IE. Worst case scenario, you just reboot."
>>
>> is just downright pathetic.
>
> For a browser lock up, I find it quite acceptable, as would most people.

As opposed to fixing the code? Are you really making that statement?

>> How about a new concept? How about they fix the
>> code?
>
> Who said they aren't? I'm certain they are. Now, if you feel it's not
> fast enough for you, then you should probably switch to Linux and leave us
> in
> peace. Why are you still using Windows again?

Windows patch times are pathetic...These are security holes here and as such
patch times should be on the order of days, not weeks, months and even some
cases years...

>> Remember not 6 months ago there was yet another vulnerability in IE
>> that was listed as low critical "just a DOS" vulnerability? Turned out
>> that
>> vulnerability turned into a buffer overflow (and required a
>> reclassification as Highly critical).
>
> That's pretty common when it comes to vulns and is not specific to
> Microsoft. First a DoS is found, then a code execution is found.

This should not be *common*. Second, my point *is* that this kind of
attitude of "don't worry just reboot" is pathetic and leads to more
security vulnerabilities (as in the example I gave above). If the security
hole is fixed while it is "just a DOS" then the "code execution" would
never be able to happen now would it....

>> Haven't you guys learned anything?
>> How about demanding software quality and timely patches?
>
> Who said I don't? You clearly know nothing of my relationship with
> Microsoft, but you're happy to assume I'm a Microsoft cheerleader on every
> subject, despite my having provided proof to the contrary to you
> repeatedly
> in the past. You're only happy if I tell you, "you're right on everything
> you say."

Did you miss your nightly medication? I said nothing of your relation
Microsoft nor do I care if you have one or not...

However, comments like "don't worry just reboot" are irresponsible...

-- Imhotep

Imhotep