Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

"Microsoft Internet Explorer is affected by a denial-of-service
vulnerability. This issue arises because the application fails to handle
exceptional conditions in a proper manner.

An attacker may exploit this issue by enticing a user to visit a malicious
site, resulting in a denial-of-service condition in the application.

This issue results in a NULL-pointer dereference, causing the application to
crash. If attackers can manipulate the pointer being dereferenced, code
execution may be possible. Note that this has not been confirmed.

Since exploiting this issue requires only standard HTML, it may not be
easily mitigated.

Internet Explorer 6 is vulnerable to this issue; other versions may also be
affected."

http://www.securityfocus.com/bid/18112

Imhotep

 

Just restart IE. Worst case scenario, you just reboot.

 

....best way to midagate a Denial of Service code flaw is to fix the code
that allows it! Not reboot, over and over and over again! Enough with
"Microsoft catch all solution to problems"...this too was invented by
Microsoft...

Imhotep

 

Actually, the author of the mangleme malformed HTML fuzzer tool found that
IE 6 coded in 2000 was far far better coded to be far more resistant to this
kind of attack than every other browser out there bar none, including
Firefox coded in 2004. While IE 6 has had some serious security problems in
the past, locking up or executing arbitrary code due to malformed HTML is
not generally one of those problem areas.

Having said that, every browser on the planet is vulnerable to denial of
service and lockups requiring some sort of restart from properly formed HTML
trickery. And every OS on the planet requires restarting a service, process
or application of some sort to fix various problems, although some of the
newer ones allow restarting various components without a total reboot better
than current Windows does.

 

And later refined this statement when he found some more DoS problems in
IE and once more when he implemented CSS content as well, making IE the
worst of all browsers.

Have you been sleeping the last months? Did you even take a look at
unpatched vulnerabilities? Certainly code execution through malformed
HTML is one of MSIE's biggest problems.

Huh? So you suggest you've found a general DoS condition that applies to
currently fully fixed webbrowsers? Details please. I only know about
HTTP 1.1 Deflate encoding decompression bombs, and whereas Windows'
preference of IE takes down the entire system with endless swapping, any
real webbrowsers just swaps a lot and then recovers to normal operation,
can also be killed to stop the swapping right-out.

Fine, but what if you can't create the problems by malicious intent?

BTW, the microsoft.public.internetexplorer.security is a joke, isn't it?

 

First this thread has nothing to do with IE or Firefox? What exactly is your
point here? Second, maybe, just maybe, IE was secure in regards to
maleformed HTML but it has a horrible track record every where else, BAR
NONE.

Restart "X" has become the catch all solution to Windows problem solving and
yes, it was "invented by Windows" as this behavior was not tolerated prior.
Second, replying to someone saying:

"Just restart IE. Worst case scenario, you just reboot."

is just downright pathetic. How about a new concept? How about they fix the
code? Remember not 6 months ago there was yet another vulnerability in IE
that was listed as low critical "just a DOS" vulnerability? Turned out that
vulnerability turned into a buffer overflow (and required a
reclassification as Highly critical). Haven't you guys learned anything?
How about demanding software quality and timely patches? How many time do
you guys have to relive the same problems before something clicks?

Imhotep

 

Eh, no. Even on Unix they concluded "yes, we could carefully
deinitialize and restart this specific services with dependencies, but
it would be too complicated to implement, so we better restart the whole
system."

For Windows, it's just that there are more scenarios requiring a reboot.

I'm remembering a similar case that is still unfixed since October 2002.

The subtype was a boundary error (i.e. a buffer overflow due to an array
being filled by multiple threads without properly synchronizing the
index counter) which, if not exact conditions are held, typically only
results in a null pointer dereference. As Microsoft requires to exactly
reproduce the problem, they're too stupid to understand where the real
problem is.

Dunno, but from what Guninski and Lie Di Yu concluded about some serious
design bugs IE was never designed/intended to be used in a untrusted
network (like the internet).

Until it's explicitly written into a (online) manual about IE? I guess
not even then.

 

You started this thread, so you know it's about IE, including the subject
line.

For a browser lock up, I find it quite acceptable, as would most people.

Who said they aren't? I'm certain they are. Now, if you feel it's not fast
enough for you, then you should probably switch to Linux and leave us in
peace. Why are you still using Windows again?

That's pretty common when it comes to vulns and is not specific to
Microsoft. First a DoS is found, then a code execution is found.

Who said I don't? You clearly know nothing of my relationship with
Microsoft, but you're happy to assume I'm a Microsoft cheerleader on every
subject, despite my having provided proof to the contrary to you repeatedly
in the past. You're only happy if I tell you, "you're right on everything
you say."

 

I stop/start/restart services every day as we are a UNIX shop. I almost
NEVER have to reboot (except when upgrading the OS)...

Just about everything require a reboot in windows...

That is very typical....

I believe it.

hahahaha...

 

type-o: replace "IE or Firefox" with "IE *vs* Firefox"...

And again my statement stands. This thread is NOT about IE vs Firefox vs
whatever so stop the feeble attempt to make it that...

As opposed to fixing the code? Are you really making that statement?

Windows patch times are pathetic...These are security holes here and as such
patch times should be on the order of days, not weeks, months and even some
cases years...

This should not be *common*. Second, my point *is* that this kind of
attitude of "don't worry just reboot" is pathetic and leads to more
security vulnerabilities (as in the example I gave above). If the security
hole is fixed while it is "just a DOS" then the "code execution" would
never be able to happen now would it....

Did you miss your nightly medication? I said nothing of your relation
Microsoft nor do I care if you have one or not...

However, comments like "don't worry just reboot" are irresponsible...

-- Imhotep

 

I meant kernel services from a system view, not these services services.
When chancing some not dynamically loaded kernel components, you'll have
to reboot.

Only it you don't know what to do. Some people reboot for unlocking open
files, some other people just enter the admin password, aquire debug
privilege and invalidate the file handle using Unlocker or Process
Explorer (of course, there's no default tool who has such an ability).

I remember my last reboot was... ehm... eh... sorry, simply can't
remember such a long time. Must have been somewhere around the initial
setup about a year ago (when the previous harddisk died).

This is very typical for every programmer who doesn't have a
sufficiently deep clue. The real problem is that Microsoft shouldn't let
such underqualified people handle important security stuff, and I know
that they do have qualified programmers.

I don't. There are some other smaller design errors which could be fixed
without revamping the entire code, and a lot of errors are really just
random programming errors.

So far only the cross-domain policy and the entire concept of ActiveX
are definitely broken. The rest is just lousy.

Well, there's a difference between intent and suitability.

Don't wonder, in Microsoft online documentation you'll find explicit
warning about the unencrypted nature of using telnet, rcp, rsh and rexec
with recommendations for SSH, SCP and SFTP. You'll find warnings that LM
hashes are bad, bad, bad. You'll even find some press paper admitting
that Win98's multi-monitor support was beta quality.

 

The only time you have to reboot UNIX is upgraded/altering the kernel,
generally speaking. Even kernel modules can be loaded/unloaded while the
system is up and running perfectly fine. Frankly, this is acceptable since
you very rarely upgrade your kernel. Everything else does not require
rebooting...

I am talking about the foolish requirement when you install software. Why is
it the majority of the time if I install software (applications) I have to
reboot. This is the foolishness to which I speak...

I guess you did not patch that Windows box of yours!

I have some linux boxes that have been running for years. Literally 3+
years...(even patched them without rebooting, no kernel patches that is)

Every company has qualified people. Microsoft's problem is that they care
more about marketing than quality...that is their problem. Case and point
is vista. They had an opportunity to finally force vendors to make software
that does not require users to be in the local admin group (bad security).
Now, I know form experience that you can get most MS software to run by
altering permission/groups/or runas but this is not out-of-the-box
behavior. Instead of doing this (telling software vendors to make software
that is installed as a local admin but run by regular users) they said we
will us the UAC and just bombard users with permission questions. This is
just plain foolish. How many users will just answer "yes" to everything
thus making the "security" behind the idea moot?

Some probably are small design errors and some probably are deep structural
and thus are difficult to fix.

Cross domain was always a bad joke. Active-x was just Microsoft's way to
have a java-like application. Most companies don;t even allow active-x
through their firewalls for good reason.

It is not rocket science...

Imhotep

 

Yeah, I sometimes see software asking for reboots. Well, why should I
follow their outdated advices?

I did.

My Win2K box has been running for five years until the hardware died.

Hm... one could say it's the company motto: "writing software to make money"

Why do you think they crippled outbound connections with raw sockets on
WinXP SP2? Just to fulfill the foolish cries of foolish GRC worshippers.
Better image = more people keep on using Windows, more are gonna buy the
next version

Even worse, UAC doesn't work at all. The user is still an admin, just
every program is started with user rights - if the user actually was an
use, he couldn't give the programs additional rights. But now some parts
of the GUI and lots of services and drivers are still running with admin
rights, opening windows and receiving IPC messages across the UAC
boundary - a malicious program can break out of the isolation.

Dunno, but Vista will be crap anyway due to a trojan horse being
integrated into the kernel.

Yes, but now we know that it's fundamentally broken.

Java at least has a chance to become secure, and Sun really does a good job.

It is marketing. May I say: IE is fine, just don't call it a webbrowser.
It's a wonderful ActiveX client platform for the intranet.

 

nor do I care if you have one or not...

Only Chicken Little runs around panicking about every issue out there.
Until shown otherwise, most people agree that a browser lockup like this is
an extremely minor issue. You and I know there are far more significant
security issues out there affecting Microsoft products, and I'm going to
focus my time and attention there. Encouraging others to do the same is
responsible, not irresponsible.

 

Yeah, because dumb people are already used to such issues.
However, for serious people is is unacceptable, because they usually
don't face such issues.

There are non in IE.
Well, except if you're misusing IE as a webbrowser, and then the issues
are inherent (just like using telnet for remote access).

BTW, would you please stop cross-posting without setting a Followup-To?

 

hummm...one is reminded of a security vulnerability in IE not more than 8
months ago that was just "a DOS" yet turned into a full blown critical
security hole which code could be run from just visiting a web site. Now,
you think security "professionals" would take a more serious look at "just
a DOS". Most do, but, I guess there still are some that must learn the hard
way, yet, again....

So, call me whatever you want. I much rather be called "Chicken Little" than
a fake security professional anyday...

--- Imhotep

 

Again, nicely said.....


Imhotep