Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

Discussion in 'Computer Security' started by Imhotep, May 27, 2006.

  1. Imhotep

    Imhotep Guest

    "Microsoft Internet Explorer is affected by a denial-of-service
    vulnerability. This issue arises because the application fails to handle
    exceptional conditions in a proper manner.

    An attacker may exploit this issue by enticing a user to visit a malicious
    site, resulting in a denial-of-service condition in the application.

    This issue results in a NULL-pointer dereference, causing the application to
    crash. If attackers can manipulate the pointer being dereferenced, code
    execution may be possible. Note that this has not been confirmed.

    Since exploiting this issue requires only standard HTML, it may not be
    easily mitigated.

    Internet Explorer 6 is vulnerable to this issue; other versions may also be
    affected."

    http://www.securityfocus.com/bid/18112

    Imhotep
     
    Imhotep, May 27, 2006
    #1
    1. Advertisements

  2. Just restart IE. Worst case scenario, you just reboot.
     
    Karl Levinson, May 27, 2006
    #2
    1. Advertisements

  3. Imhotep

    Imhotep Guest


    ....best way to midagate a Denial of Service code flaw is to fix the code
    that allows it! Not reboot, over and over and over again! Enough with
    "Microsoft catch all solution to problems"...this too was invented by
    Microsoft...

    Imhotep
     
    Imhotep, May 27, 2006
    #3
  4. Actually, the author of the mangleme malformed HTML fuzzer tool found that
    IE 6 coded in 2000 was far far better coded to be far more resistant to this
    kind of attack than every other browser out there bar none, including
    Firefox coded in 2004. While IE 6 has had some serious security problems in
    the past, locking up or executing arbitrary code due to malformed HTML is
    not generally one of those problem areas.

    Having said that, every browser on the planet is vulnerable to denial of
    service and lockups requiring some sort of restart from properly formed HTML
    trickery. And every OS on the planet requires restarting a service, process
    or application of some sort to fix various problems, although some of the
    newer ones allow restarting various components without a total reboot better
    than current Windows does.
     
    Karl Levinson, May 30, 2006
    #4
  5. And later refined this statement when he found some more DoS problems in
    IE and once more when he implemented CSS content as well, making IE the
    worst of all browsers.
    Have you been sleeping the last months? Did you even take a look at
    unpatched vulnerabilities? Certainly code execution through malformed
    HTML is one of MSIE's biggest problems.
    Huh? So you suggest you've found a general DoS condition that applies to
    currently fully fixed webbrowsers? Details please. I only know about
    HTTP 1.1 Deflate encoding decompression bombs, and whereas Windows'
    preference of IE takes down the entire system with endless swapping, any
    real webbrowsers just swaps a lot and then recovers to normal operation,
    can also be killed to stop the swapping right-out.
    Fine, but what if you can't create the problems by malicious intent?

    BTW, the microsoft.public.internetexplorer.security is a joke, isn't it?
     
    Sebastian Gottschalk, May 30, 2006
    #5
  6. Imhotep

    Imhotep Guest

    First this thread has nothing to do with IE or Firefox? What exactly is your
    point here? Second, maybe, just maybe, IE was secure in regards to
    maleformed HTML but it has a horrible track record every where else, BAR
    NONE.

    Restart "X" has become the catch all solution to Windows problem solving and
    yes, it was "invented by Windows" as this behavior was not tolerated prior.
    Second, replying to someone saying:

    "Just restart IE. Worst case scenario, you just reboot."

    is just downright pathetic. How about a new concept? How about they fix the
    code? Remember not 6 months ago there was yet another vulnerability in IE
    that was listed as low critical "just a DOS" vulnerability? Turned out that
    vulnerability turned into a buffer overflow (and required a
    reclassification as Highly critical). Haven't you guys learned anything?
    How about demanding software quality and timely patches? How many time do
    you guys have to relive the same problems before something clicks?

    Imhotep
     
    Imhotep, May 30, 2006
    #6
  7. Eh, no. Even on Unix they concluded "yes, we could carefully
    deinitialize and restart this specific services with dependencies, but
    it would be too complicated to implement, so we better restart the whole
    system."

    For Windows, it's just that there are more scenarios requiring a reboot.
    I'm remembering a similar case that is still unfixed since October 2002.
    The subtype was a boundary error (i.e. a buffer overflow due to an array
    being filled by multiple threads without properly synchronizing the
    index counter) which, if not exact conditions are held, typically only
    results in a null pointer dereference. As Microsoft requires to exactly
    reproduce the problem, they're too stupid to understand where the real
    problem is.
    Dunno, but from what Guninski and Lie Di Yu concluded about some serious
    design bugs IE was never designed/intended to be used in a untrusted
    network (like the internet).
    Until it's explicitly written into a (online) manual about IE? I guess
    not even then.
     
    Sebastian Gottschalk, May 30, 2006
    #7
  8. You started this thread, so you know it's about IE, including the subject
    line.
    For a browser lock up, I find it quite acceptable, as would most people.
    Who said they aren't? I'm certain they are. Now, if you feel it's not fast
    enough for you, then you should probably switch to Linux and leave us in
    peace. Why are you still using Windows again?
    That's pretty common when it comes to vulns and is not specific to
    Microsoft. First a DoS is found, then a code execution is found.
    Who said I don't? You clearly know nothing of my relationship with
    Microsoft, but you're happy to assume I'm a Microsoft cheerleader on every
    subject, despite my having provided proof to the contrary to you repeatedly
    in the past. You're only happy if I tell you, "you're right on everything
    you say."
     
    Karl Levinson, May 31, 2006
    #8
  9. Imhotep

    Imhotep Guest

    I stop/start/restart services every day as we are a UNIX shop. I almost
    NEVER have to reboot (except when upgrading the OS)...


    Just about everything require a reboot in windows...
    That is very typical....
    I believe it.
    hahahaha...
     
    Imhotep, May 31, 2006
    #9
  10. Imhotep

    Imhotep Guest

    type-o: replace "IE or Firefox" with "IE *vs* Firefox"...

    And again my statement stands. This thread is NOT about IE vs Firefox vs
    whatever so stop the feeble attempt to make it that...
    As opposed to fixing the code? Are you really making that statement?
    Windows patch times are pathetic...These are security holes here and as such
    patch times should be on the order of days, not weeks, months and even some
    cases years...
    This should not be *common*. Second, my point *is* that this kind of
    attitude of "don't worry just reboot" is pathetic and leads to more
    security vulnerabilities (as in the example I gave above). If the security
    hole is fixed while it is "just a DOS" then the "code execution" would
    never be able to happen now would it....
    Did you miss your nightly medication? I said nothing of your relation
    Microsoft nor do I care if you have one or not...

    However, comments like "don't worry just reboot" are irresponsible...

    -- Imhotep
     
    Imhotep, May 31, 2006
    #10
  11. I meant kernel services from a system view, not these services services.
    When chancing some not dynamically loaded kernel components, you'll have
    to reboot.
    Only it you don't know what to do. Some people reboot for unlocking open
    files, some other people just enter the admin password, aquire debug
    privilege and invalidate the file handle using Unlocker or Process
    Explorer (of course, there's no default tool who has such an ability).

    I remember my last reboot was... ehm... eh... sorry, simply can't
    remember such a long time. Must have been somewhere around the initial
    setup about a year ago (when the previous harddisk died).
    This is very typical for every programmer who doesn't have a
    sufficiently deep clue. The real problem is that Microsoft shouldn't let
    such underqualified people handle important security stuff, and I know
    that they do have qualified programmers.
    I don't. There are some other smaller design errors which could be fixed
    without revamping the entire code, and a lot of errors are really just
    random programming errors.

    So far only the cross-domain policy and the entire concept of ActiveX
    are definitely broken. The rest is just lousy.

    Well, there's a difference between intent and suitability. :)
    Don't wonder, in Microsoft online documentation you'll find explicit
    warning about the unencrypted nature of using telnet, rcp, rsh and rexec
    with recommendations for SSH, SCP and SFTP. You'll find warnings that LM
    hashes are bad, bad, bad. You'll even find some press paper admitting
    that Win98's multi-monitor support was beta quality.
     
    Sebastian Gottschalk, May 31, 2006
    #11
  12. Imhotep

    Imhotep Guest

    The only time you have to reboot UNIX is upgraded/altering the kernel,
    generally speaking. Even kernel modules can be loaded/unloaded while the
    system is up and running perfectly fine. Frankly, this is acceptable since
    you very rarely upgrade your kernel. Everything else does not require
    rebooting...
    I am talking about the foolish requirement when you install software. Why is
    it the majority of the time if I install software (applications) I have to
    reboot. This is the foolishness to which I speak...
    I guess you did not patch that Windows box of yours!

    I have some linux boxes that have been running for years. Literally 3+
    years...(even patched them without rebooting, no kernel patches that is)
    Every company has qualified people. Microsoft's problem is that they care
    more about marketing than quality...that is their problem. Case and point
    is vista. They had an opportunity to finally force vendors to make software
    that does not require users to be in the local admin group (bad security).
    Now, I know form experience that you can get most MS software to run by
    altering permission/groups/or runas but this is not out-of-the-box
    behavior. Instead of doing this (telling software vendors to make software
    that is installed as a local admin but run by regular users) they said we
    will us the UAC and just bombard users with permission questions. This is
    just plain foolish. How many users will just answer "yes" to everything
    thus making the "security" behind the idea moot?
    Some probably are small design errors and some probably are deep structural
    and thus are difficult to fix.
    Cross domain was always a bad joke. Active-x was just Microsoft's way to
    have a java-like application. Most companies don;t even allow active-x
    through their firewalls for good reason.
    It is not rocket science...

    Imhotep
     
    Imhotep, May 31, 2006
    #12
  13. Yeah, I sometimes see software asking for reboots. Well, why should I
    follow their outdated advices?
    I did.
    My Win2K box has been running for five years until the hardware died.
    Hm... one could say it's the company motto: "writing software to make money"

    Why do you think they crippled outbound connections with raw sockets on
    WinXP SP2? Just to fulfill the foolish cries of foolish GRC worshippers.
    Better image = more people keep on using Windows, more are gonna buy the
    next version
    Even worse, UAC doesn't work at all. The user is still an admin, just
    every program is started with user rights - if the user actually was an
    use, he couldn't give the programs additional rights. But now some parts
    of the GUI and lots of services and drivers are still running with admin
    rights, opening windows and receiving IPC messages across the UAC
    boundary - a malicious program can break out of the isolation.

    Dunno, but Vista will be crap anyway due to a trojan horse being
    integrated into the kernel.
    Yes, but now we know that it's fundamentally broken.
    Java at least has a chance to become secure, and Sun really does a good job.
    It is marketing. May I say: IE is fine, just don't call it a webbrowser.
    It's a wonderful ActiveX client platform for the intranet.
     
    Sebastian Gottschalk, May 31, 2006
    #13
  14. nor do I care if you have one or not...
    Only Chicken Little runs around panicking about every issue out there.
    Until shown otherwise, most people agree that a browser lockup like this is
    an extremely minor issue. You and I know there are far more significant
    security issues out there affecting Microsoft products, and I'm going to
    focus my time and attention there. Encouraging others to do the same is
    responsible, not irresponsible.
     
    Karl Levinson, May 31, 2006
    #14
  15. Yeah, because dumb people are already used to such issues.
    However, for serious people is is unacceptable, because they usually
    don't face such issues.
    There are non in IE.
    Well, except if you're misusing IE as a webbrowser, and then the issues
    are inherent (just like using telnet for remote access).

    BTW, would you please stop cross-posting without setting a Followup-To?
     
    Sebastian Gottschalk, May 31, 2006
    #15
  16. Imhotep

    Imhotep Guest


    hummm...one is reminded of a security vulnerability in IE not more than 8
    months ago that was just "a DOS" yet turned into a full blown critical
    security hole which code could be run from just visiting a web site. Now,
    you think security "professionals" would take a more serious look at "just
    a DOS". Most do, but, I guess there still are some that must learn the hard
    way, yet, again....

    So, call me whatever you want. I much rather be called "Chicken Little" than
    a fake security professional anyday...

    --- Imhotep
     
    Imhotep, Jun 3, 2006
    #16
  17. Imhotep

    Imhotep Guest


    Again, nicely said.....


    Imhotep
     
    Imhotep, Jun 3, 2006
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.