Re: XML in IE 5.0

From: Mikael Olsson (mikael.olssonat_private)
Date: Thu Jan 13 2000 - 15:17:37 PST

Next message: Scott Buchanan: "Re: IIS still revealing paths for web directories"

Previous message: Dave G.: "Re: CyberCash MCK 3.2.0.4: Large /tmp hole (fwd)"
Next in thread: Mike Brown: "Re: XML in IE 5.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike Brown wrote:
>
> David Komanek wrote:
> > I'm just playing with XML around and have noticed strange behavior of MS
> > Internet Explorer 5.0 :
> >
> > - if I let the MS IE display SMALL xml-file, everything seems to be O.K.
> >
> > - if I let the MS IE display A BIT BIGGER xml-file, everything goes
> > wrong [symptoms of a memory leak, Microsoft bad, etc]
>
> IE 5.0 uses an XML parser written by Datachannel.com. Have you tested your
> file with this parser outside of the context of IE 5.0? You can download a
> standalone version of the MSXML parser from msdn.microsoft.com, and you
> can get Datachannel's version from datachannel.com.
>
> [Snip stuff about using good validators]
>
> I also don't see what this potential bug in the parser has to do with
> computer security.

A-hem.

"Since we should be able to rely upon everyone sending us
well-formed and validated data that conform to all standards,
it doesn't matter if the software that we use to receive it
is crappy. No one would willingly do us any harm!"

(I'm sorry about the harsh tone, but, to me, that's the sum total
of what you're saying?)

I do agree that this particular bug won't "compromise" your
system per se, but what about continually mailing large XML
to someone using Outlook or some other mail software that
uses MSIE to display HTML/XML?

Yes, that's right, your victim wouldn't be able to read his/her
email very effectively (or at all) - especially if this person
has the preview pane activated :-)

So, again, it's not a real compromise, but it does have the potential
of disrupting business, which leads to loss of $$$. And the potential
loss of $$$ is why companies invest in security. Which is why issues
like this one sometimes (too seldom IMHO) get treated like security
issues.

'nuff rambling for one night =P

/Mike

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olssonat_private

Next message: Scott Buchanan: "Re: IIS still revealing paths for web directories"
Previous message: Dave G.: "Re: CyberCash MCK 3.2.0.4: Large /tmp hole (fwd)"
Next in thread: Mike Brown: "Re: XML in IE 5.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:06 PDT