Re: Object tag crashes Internet Explorer 4.0

From: Brett Glass (brettat_private)
Date: Thu Jul 30 1998 - 09:39:52 PDT

Next message: Alan Brown: "Lotus Notes SMTP deficiency."

Previous message: Alan Thew: "Re: Eudora exploit (was Microsoft Security Bulletin (MS98-008))"
Maybe in reply to: Georgi Guninski: "Object tag crashes Internet Explorer 4.0"
Next in thread: Adam Monaghan: "Re: Object tag crashes Internet Explorer 4.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

John Hardin's HTML trap for procmail (I've been helping him expand it
to close the Outlook/Netscape long file name hole) defangs OBJECT tags
too. See the "Notes" section on the bottom of the page at

http://www.wolfenet.com/~jhardin/procmail-kit.html

John deserves a lot of credit. His package lays the groundwork for a whole
BUNCH of protective "safety nets" that can prevent e-mail exploits. (I was
planning to implement something like it to protect my users, but it would
have taken me WEEKS if I'd started from scratch. A fix based on his work
took less than a day to create.)

Everyone on this list who has some understanding of procmail and regular
expressions should review the filters at the above URL and suggest
improvements.

--Brett


At 05:06 PM 7/29/98 -0700, Brian Behlendorf wrote:

>in message 19980728171036.5485.qmailat_private, Georgi Guninski
><guninskiat_private> told us about an Object Tag problem in MSIE 4.0.  He
>described it:
>
>> The <OBJECT> tag seems to crash Internet Explorer 4.0 under Win95 (don't
>> know about other versions/OS).
>> The following:
>> <OBJECT CLASSID=____More than 250 characters here____></OBJECT>
>> opens a dialog box "IEXPLORE: ...illegal operation" and closes IE 4.0,
>> or a blue screen with "Fatal exception 0E" and you need to reboot.
>> I don't think this is exploitable(?), but it is a bad "feature".
>
>This is good to know - the only problem is that as an attachment, Georgi also
>appended an actual example of such an OBJECT tag:
>
>> -------------------------------------Cut here: Object.html -------
>> <HTML>
>> Trying to crash IE 4.0
>> <OBJECT CLASSID=111...111111111>
>> </OBJECT>
>> </HTML>
>
>The '...' above being replaced with enough other 1's to do the deed.
>
>Of course, in doing so, my Win95/Eudora 4 Pro (which is configured to use
MSIE
>4.0 as its 'HTML browser') crashed before I could read his message.  Crashed
>the whole OS, actually, losing about 3 hours' worth of work.
>
>Now, you could say I have no right to complain, it's my own fault for running
>ripshod software on a crappy OS, and I wouldn't argue.
>
>But I would still like to ask that posters to BugTraq, and other forums,
>refrain from posting actual, "lethal" examples of the mailer bugs they are
>talking about.  At this time I'm unaware of any patch for this particular
>problem, other than "use WordPad to read your mail" or "get a real OS".
>
>Thanks.
>
>       Brian
>
>
>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>"Common sense is the collection of prejudices  |     brianat_private
>acquired by the age of eighteen." - Einstein   |  brianat_private
>

Next message: Alan Brown: "Lotus Notes SMTP deficiency."
Previous message: Alan Thew: "Re: Eudora exploit (was Microsoft Security Bulletin (MS98-008))"
Maybe in reply to: Georgi Guninski: "Object tag crashes Internet Explorer 4.0"
Next in thread: Adam Monaghan: "Re: Object tag crashes Internet Explorer 4.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:10:56 PDT