Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

"Microsoft Internet Explorer is affected by a denial-of-service
vulnerability. This issue arises because the application fails to handle
exceptional conditions in a proper manner.

An attacker may exploit this issue by enticing a user to visit a malicious
site, resulting in a denial-of-service condition in the application.

This issue results in a NULL-pointer dereference, causing the application to
crash. If attackers can manipulate the pointer being dereferenced, code
execution may be possible. Note that this has not been confirmed.

Since exploiting this issue requires only standard HTML, it may not be
easily mitigated.

Internet Explorer 6 is vulnerable to this issue; other versions may also be
affected."

http://www.securityfocus.com/bid/18112

Imhotep

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

"Imhotep" wrote in message
news:pLGdnd7FUsAMRerZ4p2dnA@adelphia.com...

> Since exploiting this issue requires only standard HTML, it may not be
> easily mitigated.

Just restart IE. Worst case scenario, you just reboot.

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

Karl Levinson wrote:

>
> "Imhotep" wrote in message
> news:pLGdnd7FUsAMRerZ4p2dnA@adelphia.com...
>
>> Since exploiting this issue requires only standard HTML, it may not be
>> easily mitigated.
>
> Just restart IE. Worst case scenario, you just reboot.


....best way to midagate a Denial of Service code flaw is to fix the code
that allows it! Not reboot, over and over and over again! Enough with
"Microsoft catch all solution to problems"...this too was invented by
Microsoft...

Imhotep

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

>> "Imhotep" wrote in message
>> news:pLGdnd7FUsAMRerZ4p2dnA@adelphia.com...

>> Just restart IE. Worst case scenario, you just reboot.
>
>
> ...best way to midagate a Denial of Service code flaw is to fix the code
> that allows it! Not reboot, over and over and over again! Enough with
> "Microsoft catch all solution to problems"...this too was invented by
> Microsoft...

Actually, the author of the mangleme malformed HTML fuzzer tool found that
IE 6 coded in 2000 was far far better coded to be far more resistant to this
kind of attack than every other browser out there bar none, including
Firefox coded in 2004. While IE 6 has had some serious security problems in
the past, locking up or executing arbitrary code due to malformed HTML is
not generally one of those problem areas.

Having said that, every browser on the planet is vulnerable to denial of
service and lockups requiring some sort of restart from properly formed HTML
trickery. And every OS on the planet requires restarting a service, process
or application of some sort to fix various problems, although some of the
newer ones allow restarting various components without a total reboot better
than current Windows does.

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial ofService Vulnerability

Karl Levinson wrote:

>>> Just restart IE. Worst case scenario, you just reboot.
>>
>> ...best way to midagate a Denial of Service code flaw is to fix the code
>> that allows it! Not reboot, over and over and over again! Enough with
>> "Microsoft catch all solution to problems"...this too was invented by
>> Microsoft...
>
> Actually, the author of the mangleme malformed HTML fuzzer tool found that
> IE 6 coded in 2000 was far far better coded to be far more resistant to this
> kind of attack than every other browser out there bar none, including
> Firefox coded in 2004.

And later refined this statement when he found some more DoS problems in
IE and once more when he implemented CSS content as well, making IE the
worst of all browsers.

> While IE 6 has had some serious security problems in
> the past, locking up or executing arbitrary code due to malformed HTML is
> not generally one of those problem areas.

Have you been sleeping the last months? Did you even take a look at
unpatched vulnerabilities? Certainly code execution through malformed
HTML is one of MSIE's biggest problems.

> Having said that, every browser on the planet is vulnerable to denial of
> service and lockups requiring some sort of restart from properly formed HTML
> trickery.

Huh? So you suggest you've found a general DoS condition that applies to
currently fully fixed webbrowsers? Details please. I only know about
HTTP 1.1 Deflate encoding decompression bombs, and whereas Windows'
preference of IE takes down the entire system with endless swapping, any
real webbrowsers just swaps a lot and then recovers to normal operation,
can also be killed to stop the swapping right-out.

> And every OS on the planet requires restarting a service, process
> or application of some sort to fix various problems, although some of the
> newer ones allow restarting various components without a total reboot better
> than current Windows does.

Fine, but what if you can't create the problems by malicious intent?

BTW, the microsoft.public.internetexplorer.security is a joke, isn't it?

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

Karl Levinson wrote:

>
>>> "Imhotep" wrote in message
>>> news:pLGdnd7FUsAMRerZ4p2dnA@adelphia.com...
>
>>> Just restart IE. Worst case scenario, you just reboot.
>>
>>
>> ...best way to midagate a Denial of Service code flaw is to fix the code
>> that allows it! Not reboot, over and over and over again! Enough with
>> "Microsoft catch all solution to problems"...this too was invented by
>> Microsoft...
>
> Actually, the author of the mangleme malformed HTML fuzzer tool found that
> IE 6 coded in 2000 was far far better coded to be far more resistant to
> this kind of attack than every other browser out there bar none, including
> Firefox coded in 2004. While IE 6 has had some serious security problems
> in the past, locking up or executing arbitrary code due to malformed HTML
> is not generally one of those problem areas.

First this thread has nothing to do with IE or Firefox? What exactly is your
point here? Second, maybe, just maybe, IE was secure in regards to
maleformed HTML but it has a horrible track record every where else, BAR
NONE.

> Having said that, every browser on the planet is vulnerable to denial of
> service and lockups requiring some sort of restart from properly formed
> HTML
> trickery. And every OS on the planet requires restarting a service,
> process or application of some sort to fix various problems, although some
> of the newer ones allow restarting various components without a total
> reboot better than current Windows does.


Restart "X" has become the catch all solution to Windows problem solving and
yes, it was "invented by Windows" as this behavior was not tolerated prior.
Second, replying to someone saying:

"Just restart IE. Worst case scenario, you just reboot."

is just downright pathetic. How about a new concept? How about they fix the
code? Remember not 6 months ago there was yet another vulnerability in IE
that was listed as low critical "just a DOS" vulnerability? Turned out that
vulnerability turned into a buffer overflow (and required a
reclassification as Highly critical). Haven't you guys learned anything?
How about demanding software quality and timely patches? How many time do
you guys have to relive the same problems before something clicks?

Imhotep

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

Sebastian Gottschalk wrote:

> Karl Levinson wrote:
>
>>>> Just restart IE. Worst case scenario, you just reboot.
>>>
>>> ...best way to midagate a Denial of Service code flaw is to fix the code
>>> that allows it! Not reboot, over and over and over again! Enough with
>>> "Microsoft catch all solution to problems"...this too was invented by
>>> Microsoft...
>>
>> Actually, the author of the mangleme malformed HTML fuzzer tool found
>> that IE 6 coded in 2000 was far far better coded to be far more resistant
>> to this kind of attack than every other browser out there bar none,
>> including Firefox coded in 2004.
>
> And later refined this statement when he found some more DoS problems in
> IE and once more when he implemented CSS content as well, making IE the
> worst of all browsers.
>
>> While IE 6 has had some serious security problems in
>> the past, locking up or executing arbitrary code due to malformed HTML is
>> not generally one of those problem areas.
>
> Have you been sleeping the last months? Did you even take a look at
> unpatched vulnerabilities? Certainly code execution through malformed
> HTML is one of MSIE's biggest problems.
>
>> Having said that, every browser on the planet is vulnerable to denial of
>> service and lockups requiring some sort of restart from properly formed
>> HTML trickery.
>
> Huh? So you suggest you've found a general DoS condition that applies to
> currently fully fixed webbrowsers? Details please. I only know about
> HTTP 1.1 Deflate encoding decompression bombs, and whereas Windows'
> preference of IE takes down the entire system with endless swapping, any
> real webbrowsers just swaps a lot and then recovers to normal operation,
> can also be killed to stop the swapping right-out.
>
>> And every OS on the planet requires restarting a service, process
>> or application of some sort to fix various problems, although some of the
>> newer ones allow restarting various components without a total reboot
>> better than current Windows does.
>
> Fine, but what if you can't create the problems by malicious intent?
>
> BTW, the microsoft.public.internetexplorer.security is a joke, isn't it?



....well said.

-- Imhotep

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

"Imhotep" wrote in message
news:XNidnS9ZorqQQ-bZnZ2dnUVZ_vydnZ2d@adelphia.com...

> First this thread has nothing to do with IE or Firefox?

You started this thread, so you know it's about IE, including the subject
line.

> "Just restart IE. Worst case scenario, you just reboot."
>
> is just downright pathetic.

For a browser lock up, I find it quite acceptable, as would most people.

> How about a new concept? How about they fix the
> code?

Who said they aren't? I'm certain they are. Now, if you feel it's not fast
enough for you, then you should probably switch to Linux and leave us in
peace. Why are you still using Windows again?

> Remember not 6 months ago there was yet another vulnerability in IE
> that was listed as low critical "just a DOS" vulnerability? Turned out
> that
> vulnerability turned into a buffer overflow (and required a
> reclassification as Highly critical).

That's pretty common when it comes to vulns and is not specific to
Microsoft. First a DoS is found, then a code execution is found.

> Haven't you guys learned anything?
> How about demanding software quality and timely patches?

Who said I don't? You clearly know nothing of my relationship with
Microsoft, but you're happy to assume I'm a Microsoft cheerleader on every
subject, despite my having provided proof to the contrary to you repeatedly
in the past. You're only happy if I tell you, "you're right on everything
you say."

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

Karl Levinson wrote:

>
> "Imhotep" wrote in message
> news:XNidnS9ZorqQQ-bZnZ2dnUVZ_vydnZ2d@adelphia.com...
>
>> First this thread has nothing to do with IE or Firefox?
>
> You started this thread, so you know it's about IE, including the subject
> line.

type-o: replace "IE or Firefox" with "IE *vs* Firefox"...

And again my statement stands. This thread is NOT about IE vs Firefox vs
whatever so stop the feeble attempt to make it that...

>> "Just restart IE. Worst case scenario, you just reboot."
>>
>> is just downright pathetic.
>
> For a browser lock up, I find it quite acceptable, as would most people.

As opposed to fixing the code? Are you really making that statement?

>> How about a new concept? How about they fix the
>> code?
>
> Who said they aren't? I'm certain they are. Now, if you feel it's not
> fast enough for you, then you should probably switch to Linux and leave us
> in
> peace. Why are you still using Windows again?

Windows patch times are pathetic...These are security holes here and as such
patch times should be on the order of days, not weeks, months and even some
cases years...

>> Remember not 6 months ago there was yet another vulnerability in IE
>> that was listed as low critical "just a DOS" vulnerability? Turned out
>> that
>> vulnerability turned into a buffer overflow (and required a
>> reclassification as Highly critical).
>
> That's pretty common when it comes to vulns and is not specific to
> Microsoft. First a DoS is found, then a code execution is found.

This should not be *common*. Second, my point *is* that this kind of
attitude of "don't worry just reboot" is pathetic and leads to more
security vulnerabilities (as in the example I gave above). If the security
hole is fixed while it is "just a DOS" then the "code execution" would
never be able to happen now would it....

>> Haven't you guys learned anything?
>> How about demanding software quality and timely patches?
>
> Who said I don't? You clearly know nothing of my relationship with
> Microsoft, but you're happy to assume I'm a Microsoft cheerleader on every
> subject, despite my having provided proof to the contrary to you
> repeatedly
> in the past. You're only happy if I tell you, "you're right on everything
> you say."

Did you miss your nightly medication? I said nothing of your relation
Microsoft nor do I care if you have one or not...

However, comments like "don't worry just reboot" are irresponsible...

-- Imhotep

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

"Imhotep" wrote in message
news:MbydnU99ZrxXYeHZnZ2dneKdnZydnZ2d@adelphia.com...

> This should not be *common*. Second, my point *is* that this kind of
> attitude of "don't worry just reboot" is pathetic and leads to more
> security vulnerabilities (as in the example I gave above). If the security
> hole is fixed while it is "just a DOS" then the "code execution" would
> never be able to happen now would it....
nor do I care if you have one or not...
>
> However, comments like "don't worry just reboot" are irresponsible...

Only Chicken Little runs around panicking about every issue out there.
Until shown otherwise, most people agree that a browser lockup like this is
an extremely minor issue. You and I know there are far more significant
security issues out there affecting Microsoft products, and I'm going to
focus my time and attention there. Encouraging others to do the same is
responsible, not irresponsible.

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial ofService Vulnerability

Karl Levinson wrote:

>> However, comments like "don't worry just reboot" are irresponsible...
>
> Only Chicken Little runs around panicking about every issue out there.
> Until shown otherwise, most people agree that a browser lockup like this is
> an extremely minor issue.

Yeah, because dumb people are already used to such issues.
However, for serious people is is unacceptable, because they usually
don't face such issues.

> You and I know there are far more significant
> security issues out there affecting Microsoft products, and I'm going to
> focus my time and attention there.

There are non in IE.
Well, except if you're misusing IE as a webbrowser, and then the issues
are inherent (just like using telnet for remote access).

BTW, would you please stop cross-posting without setting a Followup-To?

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

Karl Levinson wrote:

>
> "Imhotep" wrote in message
> news:MbydnU99ZrxXYeHZnZ2dneKdnZydnZ2d@adelphia.com...
>
>> This should not be *common*. Second, my point *is* that this kind of
>> attitude of "don't worry just reboot" is pathetic and leads to more
>> security vulnerabilities (as in the example I gave above). If the
>> security hole is fixed while it is "just a DOS" then the "code execution"
>> would never be able to happen now would it....
> nor do I care if you have one or not...
>>
>> However, comments like "don't worry just reboot" are irresponsible...
>
> Only Chicken Little runs around panicking about every issue out there.
> Until shown otherwise, most people agree that a browser lockup like this
> is
> an extremely minor issue. You and I know there are far more significant
> security issues out there affecting Microsoft products, and I'm going to
> focus my time and attention there. Encouraging others to do the same is
> responsible, not irresponsible.


hummm...one is reminded of a security vulnerability in IE not more than 8
months ago that was just "a DOS" yet turned into a full blown critical
security hole which code could be run from just visiting a web site. Now,
you think security "professionals" would take a more serious look at "just
a DOS". Most do, but, I guess there still are some that must learn the hard
way, yet, again....

So, call me whatever you want. I much rather be called "Chicken Little" than
a fake security professional anyday...

--- Imhotep

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

Sebastian Gottschalk wrote:

> Karl Levinson wrote:
>
>>> However, comments like "don't worry just reboot" are irresponsible...
>>
>> Only Chicken Little runs around panicking about every issue out there.
>> Until shown otherwise, most people agree that a browser lockup like this
>> is an extremely minor issue.
>
> Yeah, because dumb people are already used to such issues.
> However, for serious people is is unacceptable, because they usually
> don't face such issues.
>
>> You and I know there are far more significant
>> security issues out there affecting Microsoft products, and I'm going to
>> focus my time and attention there.
>
> There are non in IE.
> Well, except if you're misusing IE as a webbrowser, and then the issues
> are inherent (just like using telnet for remote access).
>
> BTW, would you please stop cross-posting without setting a Followup-To?


Nicely, said.....