HTML-Code crashes Internet Explorer

Forum Moderators: open

Message Too Old, No Replies

HTML-Code crashes Internet Explorer

Any IE version since 4.0 is vulnerable

Fischerlaender

10:25 am on May 3, 2003 (gmt 0)

This simple HTML code causes any IE since version 4.0 to crash, the german computer magazine ct says:

<html> 
<form> 
<input type crash> 
</form> 
</html>

I tested it with my MSIE 6.0SP1 on Windows XP and it indeed crashes.

grahamstewart

11:03 am on May 3, 2003 (gmt 0)

Huh? ...*test*...*crash*

Oh yeah.. right enough!
Well thats handy :)

ShawnR

12:27 pm on May 3, 2003 (gmt 0)

OK, hands up those who read the post and tried it. You can admit it.

grahamstewart

12:31 pm on May 3, 2003 (gmt 0)

You gotta laugh!

Microsoft has loads of bugs in IE, but instead of trying to fix them they spend time introducing new code to deliberately crash it :)

dmorison

12:33 pm on May 3, 2003 (gmt 0)

The technical details, courtesy of BugTraq:

IE tries to compare the type of the input field to "HIDDEN", to see if it
should be rendered. When there is no type string, a null-pointer is used.
mshtml.dll calls shlwapi.dll#158 @ 0x636f0037 with a pointer to a static
unicode string "HIDDEN" and a null-pointer.
shlwapi.dll#158 does a case-insensitive comparison of two unicode strings:
it reads from address 0x0 because of the null-pointer and thus causes an
exception.
This is not exploitable, other then a DoS because there is no memory mapped
@ 0x0 and even if you could load something there, you could only compare it
to "HIDDEN" which gets you nowhere.

Is that allowed here? Soon find out I guess.

Oaf357

11:55 pm on May 3, 2003 (gmt 0)

Works like a charm. I guess.

pixel_juice

11:58 pm on May 3, 2003 (gmt 0)

OK, hands up those who read the post and tried it. You can admit it.

Didn't crash my copy of IE6 anyway. Not that I care when I use Mozilla :)

toadhall

12:12 am on May 4, 2003 (gmt 0)

So next time MSN blocks Opera we (you're with me right?) can seek bloody revenge by redirecting to that tidbit from our browser sniffer.

Nya ha ha.

Which, on reflection, kind of smacks of shooting ones own foot.

keyplyr

6:20 pm on May 4, 2003 (gmt 0)

Oh good, I've been looking for code to do that.

Nick_W

6:23 pm on May 4, 2003 (gmt 0)

I'm very tempted to write a link on my 'list of articles' titled Why IE Sucks and just link it to that code ;-)

Think I'd lose visitors that way? ;)

Nick

universalis

1:17 pm on May 5, 2003 (gmt 0)

You only need the tag <input type> to make IE crash. The important points are:

1. The lack of a <body> tag. If a body tag is present before the input tag, the browser won't crash - so you're safe from idiots pasting code into your guestbook / forum, etc.

2. The bug is caused by the empty "type" attribute.

3. It is not just IE that crashes - in fact, any program using the same libraries as IE will crash when getting this code. That means Outlook Express, or even the preview feature in Windows Explorer. This means that there is a possibility that the above-mentioned idiots will start sending HTML emails to all and sundry, making OE crash on receipt. This is nasty, and is in my opinion, the biggest rish posed by this bug.

4. You can actually crash Mozilla with a bit if code too. Try this (or rather, don't try this):

<html>
<fieldset style="position:fixed;">
<legend>Crash</legend>
</fieldset>
</html>

So don't think that it's just MS who have sloppy coding!

pixel_juice

11:53 pm on May 5, 2003 (gmt 0)

Good call on the moz crash, universalis.

The lack of a <body> tag

That'll be why my IE didn't crash then - should've read the original post a bit more carefully ;)