lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 27 Oct 2004 11:09:55 -0700
From: MCMuir@...output.com
To: bugtraq@...urityfocus.com
Subject: Re: Update: Web browsers - a mini-farce (MSIE gives in)


6.0.2800.1106 on Win 2k Pro (5.00.2195 SP4) does not crash.

    -mike


<gabrield89@...mail.com> wrote on 10/25/2004 08:00:44 AM:

> In-Reply-To: <20041023001154.F23256@...adens.coredump.cx>
> 
> >
> 
> >Last but not least, MSIE gives in:
> 
> >
> 
> >>   Only MSIE appears to be able to consistently handle [*] malformed
> 
> >>   input well, suggesting this is the only program that underwent
> 
> >>   rudimentary security QA testing with a similar fuzz utility.
> 
> >
> 
> >To all those who considered my original post to be a great propaganda
> 
> >ammunition for praising MSIE, bad news - although it did take a longer
> 
> >while for it to give up - three hours - (impressive by comparison to
> 
> >competitors), it eventually did:
> 
> >
> 
> >  http://lcamtuf.coredump.cx/mangleme/gallery/ie_die1.html
> 
> >
> 
> >Tested on 6.0.2800.1106, dies in mshtml.dll. This is a NULL pointer
> 
> >dereference, so merely a DoS condition, but still an evident flaw in
> 
> >basic HTML parsing.
> 
> >
> 
> 
> 
> Testing on Windows 98 running IE 6.0.2800.1106. Nothing happens. IE 
> does not crash. Can anyone else confirm this?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ