Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability Imhotep 05-30-2006
Posted by Imhotep on May 30, 2006, 1:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Sebastian Gottschalk wrote:

> Karl Levinson wrote:
>
>>>> Just restart IE. Worst case scenario, you just reboot.
>>>
>>> ...best way to midagate a Denial of Service code flaw is to fix the code
>>> that allows it! Not reboot, over and over and over again! Enough with
>>> "Microsoft catch all solution to problems"...this too was invented by
>>> Microsoft...
>>
>> Actually, the author of the mangleme malformed HTML fuzzer tool found
>> that IE 6 coded in 2000 was far far better coded to be far more resistant
>> to this kind of attack than every other browser out there bar none,
>> including Firefox coded in 2004.
>
> And later refined this statement when he found some more DoS problems in
> IE and once more when he implemented CSS content as well, making IE the
> worst of all browsers.
>
>> While IE 6 has had some serious security problems in
>> the past, locking up or executing arbitrary code due to malformed HTML is
>> not generally one of those problem areas.
>
> Have you been sleeping the last months? Did you even take a look at
> unpatched vulnerabilities? Certainly code execution through malformed
> HTML is one of MSIE's biggest problems.
>
>> Having said that, every browser on the planet is vulnerable to denial of
>> service and lockups requiring some sort of restart from properly formed
>> HTML trickery.
>
> Huh? So you suggest you've found a general DoS condition that applies to
> currently fully fixed webbrowsers? Details please. I only know about
> HTTP 1.1 Deflate encoding decompression bombs, and whereas Windows'
> preference of IE takes down the entire system with endless swapping, any
> real webbrowsers just swaps a lot and then recovers to normal operation,
> can also be killed to stop the swapping right-out.
>
>> And every OS on the planet requires restarting a service, process
>> or application of some sort to fix various problems, although some of the
>> newer ones allow restarting various components without a total reboot
>> better than current Windows does.
>
> Fine, but what if you can't create the problems by malicious intent?
>
> BTW, the microsoft.public.internetexplorer.security is a joke, isn't it?



...well said.

-- Imhotep

Similar ThreadsPosted
Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability June 2, 2006, 10:27 pm
Microsoft Internet Explorer ActiveX Vulnerability September 27, 2006, 10:10 pm
Re: Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability December 15, 2005, 10:03 am
Microsoft IIS ASP Remote Code Execution Vulnerability July 18, 2006, 10:03 pm
Randpm Internet Explorer Pop-ups. Please help!! April 12, 2005, 11:06 am
Random Internet Explorer Pop-ups. Please help!! April 12, 2005, 11:06 am
HPSBMA02235 SSRT061260 rev.1 - HP OpenView Internet Service (OVIS) Running Share d Trace Service, Remote Arbitrary Code Execution August 13, 2007, 4:33 pm
What does denial of service attack mean? April 30, 2005, 10:05 am
Denial of Service tools September 30, 2006, 3:46 pm
SSRT4700 rev.0 HP Web Jetadmin denial of service April 8, 2004, 6:30 am

The site map in XML format XML site map

Contact Us | Privacy Policy