Vulnerability Development mailing list archives

RE: IE 5.x (5.50.4522.1800 SP1) Crash at gopher://:


From: "David Schwartz" <davids () webmaster com>
Date: Thu, 17 May 2001 15:39:49 -0700


At 11:42 2001-05-16 +0100, you wrote:

Now, the wierd thing is this. I've managed to make this happen a
few times,
but it seems slightly random. Wonder if anyone else can reproduce this:

1. type shell://: hit return. Normal extra window appears
2. type shell://:; hit return. TWO extra windows appear
3. type shell://:;; hit return. 2 or 3 extra windows appear
4. type shell://: hit return. Explorer comes back with an
exception error:

The Exception unknown software exception (0xc00000fd) occurred in the
application at location 0x76c82587

"shell://:;" crashed both ie and explorer.exe on one machine.
It didn't work on two other with SP2, so I guess SP2 will fix it.

However, "gopher://:"; still makes them crash ie.

        This is very disconcerting. The fact that Microsoft keeps incrementally
fixing these problems indicates that IE has two very serious problems that
are *not* being fixed:

        1) There is no preparser to sanity check the input. If there were, input
that's not what Microsoft expects the main parser to handle would never get
to the main parser.

        2) The main parser is fragile, that is, it parses its input with
assumptions about what that input is, rather than carefully checking every
code path to sanely abort malformed input.

        Both of these issues are security essentials. The two together will create
an endless series of exploits and crashes until they're fixed at the root.

        C'mon guys, this is basic stuff.

        DS


Current thread: