RE: New Microsoft Internet Explorer mshtml.dll Denial of Service?

["Tiago Halm" <thalm () netcabo pt>]

My feeling is that the following facts:

- rendering engine of IE, complemented with the "online" download of the
image
- possible malformation of the image

lead to this outcome (browser crash).
There must be some code inside mshtml.dll that "crashes" when parsing the
image.

I get this "Application" event with source "Microsoft Internet Explorer", ID
= 1000:
-------------
Faulting application iexplore.exe, version 6.0.2800.1106, faulting module
mshtml.dll, version 6.0.2800.1226, fault address 0x00180ede. 
-------------

This is not a webbug. I think this is only a transgif for layout (as you put
it).
And IE should take the image as invalid and should not even try to display
it.

Regards,
Tiago Halm

-----Original Message-----
From: nonleft [mailto:nonleft () gmx net] 
Sent: terça-feira, 2 de Setembro de 2003 19:15
To: Tiago Halm; 'Pellmann Paul'; full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] New Microsoft Internet Explorer mshtml.dll
Denial of Service?


could you figure out if it is a webbug than or just a transgif for layout?

kind regards
nonleft


At 17:36 02.09.2003 +0100, Tiago Halm wrote:
> Paul has a point here, I believe!
>
> After a **lot** of html code "trimming" I came with an offline version 
> of the page like this:
>
> ------------------------------------------------------
> 2bd125.jpg
> -------------------------------------------------------
>
> and this piece of code does crash my browser (6.0.2800.1106) on windows 
> 2000 server all patches and fixes up to date.
>
> NOTE: Every time you **want** the browser to crash, you must delete it 
> from the "Temporary Internet Files" before loading it in your browser.
>
> Although this image (e1x1.gif) is 1x1 GIF, ACDSee Classic calls it a 
> "Bad or unrecognized image header". Does this image, in some way, 
> affects the way IE does the parsing? Seems like it...
>
> Regards,
> Tiago Halm
>
>
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Pellmann 
> Paul
> Sent: terça-feira, 2 de Setembro de 2003 16:20
> To: 'full-disclosure () lists netsys com'
> Subject: AW: [Full-disclosure] New Microsoft Internet Explorer mshtml.dll
> Denial of Service?
>
>
> This seems to be caused by the 1x1 image 
> http://www.galad.com/frame/e1x1.gif
> used within the page. If I block this URL the IE stops crashing with that
> page.
>
> cu
> Paul
>
>
> > > Its a mail client issue; doesn't happen if you click on
> > > a link from Internet Explorer.
> >
> > No, I am very sure that this happens also, if you follow the link 
> > inside a web page only (without an involving mail client).
> >
> > So go to http://www.counterpane.com/crypto-gram.html , scroll down 
> > and click the link that says "Holger Hasselbach has translated 
> > several issues of Crypto-Gram into German [...]". The error occurs 
> > as described in my original posting.
> >
> > > Your mail headers don't exactly give away your own mail client. 
> > > What would it be?
> >
> > Microsoft Outlook 2002 SP2 on Windows XP Professional
> >
> > Yours,
> >
> > Marc Ruef
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0
> >
> > iQA/AwUBP1Rw4Be5hzJzqVMhEQKFkACeOBaQowm8I6p0P2Fb12C4E2ndwgoAniRK
> > qtApctQA9L1W78qDsE4Puuvz
> > =m0et
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html