COMMAND
Internet Explorer 4.01
SYSTEMS AFFECTED
Win95, Win98, NT
PROBLEM
Abe L. Getchell found three bugs in Internet Explorer 4.01 running
under both Windows 95 and Windows NT 4.0 (Server and Workstation).
The bugs are caused by malicious code which makes IE crash in all
three situations. There are NO, however, other ways for these
bugs to be exploited to let people cause more serious damage to
the system.
Bug #1:
=======
This is the origional bug Abe found. When loaded in IE 4.01 on
both Windows 95 and Windows NT 4.0 systems, it will crash the
browser. In Windows 95 this bug causes two successive illegal
operations, and causes Active Destop to "lose it's settings" if
being used. In Windows NT 4.0 it gives you a Dr. Watson which
tells you that IEXPLORE.EXE caused a stack overflow, and causes
Active Desktop to "lose it's settings" if being used. What we are
doing here, is using the "data" attribute of the "object" tag to
reference itself. This misuse of the object tag causes the
broswer to go into a loop, and eventually to meet it's maker with
the following errors:
Windows 95 errors:
-EXPLORER causes a stack fault in module SHDOCVW.DLL at 016f:7078d692.
-EXPLORER causes a page fault in module SHDOCVW.DLL at 016f:7078d692.
-Active Desktop "loses it's settings" if it's enabled.
Windows NT 4.0 errors:
-Dr. Watson gives: IEXPLORE.EXE > Exception: stack overflow (0xc00000fd), Address: 0x7079024b.
-Active Desktop "loses it's settings" if it's enabled.
Here is the code which makes this happen. Make sure you save this
code in a file under the same name which is referenced in the
object tag (in this case, it's "crashmehtml.html").
<html>
<head>
<title></title>
<object data=3D"crashmehtml.html"></object>
</head>
<body>
</body>
</html>
Bug #2:
=======
This is a variation of the origional bug Abe found. The ONLY
difference between this and bug #1 is the "script" tags in the
head of the document. When this is loaded in IE 4.01, on both
Windows 95 and Windows NT 4.0 workstations, it will crash the
browser. In Windows 95 it causes a stack fault, then tells the
user to close all programs and reboot the machine. In Windows NT
4.0, Dr. Watson pops up and tells you IEXPLORE.EXE caused a stack
overflow. Why this makes IE crash in a different DLL, I don't
know.
Windows 95 errors:
-EXPLORER causes a stack fault in module MSHTML.DLL at 016f:704bc4cc.
-Gives the error message: "There was an internal error and one
of the windows you were using will be closed. It is
recommended that you save your work and close all programs,
then restart your computer.".
Windows NT 4.0 errors:
-Dr. Watson gives: IEXPLORE.EXE > Exception: stack overflow (0xc00000fd), Address: 0x704bbbbc.
Here is the code. Again, make sure you save the code in a file
which is the same name as referenced in the object tag (in this
case, it's "crashmescript.html").
<html>
<head>
<title></title>
<script>
</script>
<object data=3D"crashmescript.html"></object>
</head>
<body>
</body>
</html>
NOTE: In the "script" tags, you can put anything you want. It was
tested with 'language=3D"vbscript"', 'language=3D"javascript"',
and 'language=3D"poopooplatter"' and the same error occured every
time.
Bug #3:
=======
What we have here is an html file (crashmeloop1.html) with a data
reference to itself AND a data reference to another file
(crashmeloop2.html), as well as another html file which references
itself, as well as referencing the original file (in our case here
crashmeloop1.html). In Windows 95, this causes IE to go into a
continuous loop while the HDD grids away rather heavily. When
testing it was let this run up to 10 minutes and did not receive
any error message of any sort (stack overflow or virtual memory).
However, you cannot do anything until you ctrl+alt+del IE. This
is where the fun starts. After you "End Task" IE, the HDD grinds
away for a long amount of time, which Abe found is directly
proportional to the amount of time you let the loop run... i.e. if
you let the loop run for ten minutes, the HDD is goind to spin for
a lot longer after the "End Task" then if you let the loop run
for five minutes. After the HDD stops ginding, IE closes
(although sometimes you have to move your mouse to get it to
close, tapping a key WILL NOT WORK), and you are returned to the
desktop. If Active Desktop is being used, it will have "lost it's
settings". In Windows NT, it is a different case. The program
will loop until an error message pops up saying "Your system is
running low on virtual memory. Please close some aplications.
You can then start the System option in the Control Panel and
choose the Virtual Memory button to create an additional paging
file or to increase the size of your current pagin file." IE
then closes and nothing else happens. It is beleived that
difference between two behaviours is due to "let windows manage
my virtual memory for me" setting.
Here is the code.
<html>
<head>
<title></title>
<object data=3D"crashmeloop2.html"></object>
<object data=3D"crashmeloop1.html"></object>
</head>
<body>
</body>
</html>
<html>
<head>
<title></title>
<object data=3D"crashmeloop1.html"></object>
<object data=3D"crashmeloop2.html"></object>
</head>
<body>
</body>
</html>
Georgi Guninski addedd that in his tests the <OBJECT> tag seems to
crash Internet Explorer 4.0 under Win95. The following:
<OBJECT CLASSID=____More than 250 characters here____></OBJECT>
opens a dialog box "IEXPLORE: ...illegal operation" and closes IE
4.0, or a blue screen with "Fatal exception 0E" and you need to
reboot. Careful with following:
<HTML>
Trying to crash IE 4.0
<OBJECT CLASSID=1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111>
</OBJECT>
</HTML>
After post of Georgi Guninski Logic Man found a stack overflow on
IE 4.0 [ Win95 ] with just one character:
<HTML>
<title>It shut down your IE 4.0</title>
<OBJECT CLASSID=#></OBJECT>
</HTML>
It opens a dialog box too and you must shut down your IE 4.0.
This also works in IE 4.01 SP1 - under NT4+SP3 (guess is that it
probably will work on any IE 4.0 and above under whichever flavor
of Windows you choose).
SOLUTION
On August 17th Microsoft released a patch that fixes the problem
as reported. This patch is available for download from the
Microsoft Scripting Technologies web site:
http://www.microsoft.com/msdownload/vbscript/scripting.asp
Microsoft has also made this patch available as a "Critical
Update" for Windows 98 customers through the Windows Update.
Localized versions of the patch are available from the Microsoft
Scripting Technologies web site:
http://www.microsoft.com/msdownload/vbscript/scripting.asp
MS strongly encourage customers to apply the patch. However, users
who cannot apply the patch can use the Zones security feature in
Internet Explorer to provide additional protection against this
issue by disabling Active Scripting in the "Internet" and
"Restricted Sites" Zones. This would still allow JScript to be
run from trusted Internet sites, and on the user's local intranet.
To turn off Active Scripting for the "Internet" Zone:
1. From Internet Explorer, choose "Internet Options" from the
"View" menu.
2. Click on the tab labeled "Security".
3. Click on "Internet Zone", then click "Customize Settings".
4. Scroll to the bottom of the list and click on "Disable"
under the "Active Scripting" setting.
These same procedures can be followed for the "Restricted Sites"
Zone.
John Hardin's HTML trap for procmail defangs OBJECT tags too. See
the "Notes" section on the bottom of the page at:
http://www.wolfenet.com/~jhardin/procmail-kit.html