reproducible IE crashes from KB918899

Discussion in 'Internet Explorer' started by Brian S. Bergin, Aug 11, 2006.

  1. http://www.comcept.net/crash.htm shows a reproducible IE crash bug
    introduced by KB918899 with no documentation we can find on how to
    work around it. The HTML code is simple enough:


    <html>
    <head>
    <script language="javascript">

    var m_oPop = null;

    function MakePopup()
    {
    m_oPop = window.createPopup();
    var oPopBody = m_oPop.document.body;

    oPopBody.innerHTML = '<div
    style="background-color: green; color: white"
    onclick="parent.DoSomething()">This is a Pop-Up.<hr/>' +
    'Lorem ipsum dolor sit amet,
    consectetuer adipiscing elit. Nam massa mauris, pulvinar ac, tincidunt
    in, ullamcorper ut, diam. Nunc enim neque, auctor ac, euismod sit
    amet, suscipit sit amet, nisl. Praesent ipsum lorem, varius ac,
    tincidunt quis, faucibus nec, felis. Quisque facilisis mi nonummy
    mauris. Suspendisse velit. Aenean venenatis. Vestibulum vitae tellus.
    Class aptent taciti sociosqu ad litora torquent per conubia nostra,
    per inceptos hymenaeos. Suspendisse orci nunc, euismod quis, eleifend
    eget, tempor in, pede. Sed non justo. Aenean facilisis consectetuer
    metus. Proin diam. In vel tortor vel leo semper pellentesque.' +
    'Phasellus semper. Morbi sit
    amet nibh. Nam lorem ipsum, luctus quis, rutrum eu, ultricies eu,
    lectus. Vestibulum auctor, mauris id feugiat laoreet, tellus felis
    venenatis neque, ut vulputate quam dui vel leo. Duis eget eros.
    Pellentesque at ipsum. Sed accumsan, dolor in venenatis rutrum, ligula
    ipsum mattis pede, in ultricies risus purus at risus. Aliquam eu nisi.
    Nunc sagittis, est vel dapibus interdum, ligula mauris vehicula nunc,
    nec aliquet magna turpis eu lorem. Quisque id tortor quis turpis
    pulvinar sollicitudin. Maecenas sed nulla non odio dapibus sodales.
    Cras in ipsum. Proin eu dui a turpis feugiat adipiscing. Vivamus nec
    arcu sed enim venenatis pretium. Nunc eget mauris. Sed molestie.
    Praesent eu diam. Fusce tempus tempus lorem. Vivamus neque.' +
    'Proin id quam sit amet mi
    vestibulum tristique. Sed mi metus, placerat sit amet, tincidunt in,
    dapibus in, velit. Sed eget sem non pede volutpat elementum.
    Pellentesque a nisi eget nibh varius tincidunt. Sed malesuada, lorem
    et nonummy faucibus, leo sem pharetra purus, eget elementum lectus
    eros vitae odio. Maecenas auctor lectus in massa. Nam a felis rutrum
    nisl tincidunt tincidunt. Donec scelerisque adipiscing ligula. Fusce
    sem turpis, porta id, tincidunt consectetuer, mattis vitae, nisi. Sed
    sed felis sit amet odio hendrerit posuere.' +
    'Nulla blandit hendrerit mi.
    Donec nec mi blandit tellus scelerisque vehicula. Nunc nisi odio,
    cursus et, commodo id, tincidunt vitae, dui. Proin quis ipsum in nibh
    pellentesque suscipit. Fusce non est quis pede blandit lobortis.
    Aenean pulvinar ante nec eros. Curabitur nec pede nec dolor interdum
    porta. Nunc lacus magna, malesuada eget, dignissim vitae, rutrum ut,
    lorem. Sed auctor, mi id rhoncus luctus, orci ligula suscipit nulla,
    et accumsan lacus nisl id est. Duis venenatis nibh vel tellus.
    Pellentesque habitant morbi tristique senectus et netus et malesuada
    fames ac turpis egestas. Ut nisl. Nullam a quam a magna fermentum
    condimentum.' +
    'Sed mollis rhoncus felis.
    Aenean dapibus dolor ullamcorper est. Proin placerat metus eget
    ligula. Cras tellus lorem, tincidunt in, dapibus sit amet, feugiat
    non, quam. Praesent laoreet nulla ac orci commodo ullamcorper. Cras
    fermentum. Cras rutrum elementum leo. Donec feugiat justo at sem. Sed
    et dui id mi suscipit vestibulum. Mauris posuere ante id nulla. Proin
    non turpis. Suspendisse vehicula varius lacus. Fusce massa. Duis
    semper nunc a orci. Sed bibendum erat at nunc. In in nunc a ipsum
    iaculis ultrices. Donec eu neque in elit eleifend commodo.' +
    '</div>';
    m_oPop.show( 100, 200, 400, 400, null
    );
    }

    function DoSomething()
    {
    alert( "You clicked the Pop-Up." );
    }

    </script>
    </head>
    <body>
    <span id="pnlTesting" style="background-color: black;
    color: white" onclick="MakePopup()">Click Me</span>
    Click on the black area, then on the white area. Go
    back and forth several times.<br/>
    Eventually the browser will crash. It may take as
    many as 4 or 5 tries.
    </body>
    </html>

    This problem affects several thousand clients of theirs that use a
    browser-based appliation to run their business. I need help finding a
    solution ASAP.

    Sincerely,
    Brian S. Bergin


    Please post replies here so everyone may benefit.

    msdndotnntpdotnospamdot1atcomceptdotnet (replace dot with .)
     
    Brian S. Bergin, Aug 11, 2006
    #1
    1. Advertisements

  2. Brian S. Bergin

    PA Bear Guest

    Windows version(s)? Any Peoplesoft applications installed?

    Try calling 1-800-PC-SAFETY.
     
    PA Bear, Aug 11, 2006
    #2
    1. Advertisements

  3. Brian S. Bergin

    Thomas L Guest

    Reproduced on IE6, Windows XP SP2 with KB918899 installed.
    Thanks, Brian, for that great repro!
     
    Thomas L, Aug 11, 2006
    #3
  4. Any version of IE with that patch installed. Easily reproducible on
    XP Home, Pro, MCE, 2003 Server SP1, XP x64, 2003 x64, 2003 R2, 2003 R2
    x64, pretty much every shipping version of Windows.

    Note, however, that only 32-bit versions of IE on x64 systems appear
    to be affected.

    Our code does not repro on Win2k SP4 but apparently if you're running
    PeopleSoft on Win2k you have a serious problem too (we're not running
    PS so I cannot confirm a problem here).

    Microsoft has confirmed to me in an SRX case that this indeed a known
    issue, in fact there appears to be at least 3 known issues with
    MS06-042; however, IMHO, they have little or no idea what's really
    happening nor are the inclined to let anyone else know either.

    Sincerely,
    Brian S. Bergin


    Please post replies here so everyone may benefit.

    msdndotnntpdotnospamdot1atcomceptdotnet (replace dot with .)
     
    Brian S. Bergin, Aug 11, 2006
    #4
  5. Sandi - Microsoft MVP, Aug 12, 2006
    #5
  6. Brian S. Bergin

    Glen Guest

    Could someone please post a link to the fixed urlmon.dll
    (ver. 6.00.2800.1567)?

    Why does MS insist on forcing people call them to get these
    basic fixes????? They sure didn't require us to call to get the
    security patch that caused this problem in the first place!
     
    Glen, Aug 12, 2006
    #6
  7. Sandi - Microsoft MVP, Aug 12, 2006
    #7
  8. Sorry, hit enter too soon.

    You do not need to download a "fixed urlmon.dll" yet. Please simply follow
    the directions (turn off HTTP 1.1) if you are not willing to contact MS for
    the file.

    Do *not* source the file from a third party - you open yourself up to the
    dangers of assembly hijacking,.

    --

    Sandi Hardmeier
    Microsoft MVP since 1999
    http://www.ie-vista.com
    Internet Explorer Community
    http://www.microsoft.com/windows/ie/community/default.mspx
    The email address I use for newsgroups is a spam trap and does not get read.
     
    Sandi - Microsoft MVP, Aug 12, 2006
    #8
  9. Brian S. Bergin

    Glen Guest

    It's not a matter of "not willing to contact MS", Sandi. THREE
    out of the last FOUR cumulative Win2K roll-ups have caused
    crashes and other system problems, and every time I've had to
    call. It's gotten to the point where I don't trust MS to patch their
    own code, or at least to properly test patches before they
    release them publicly. And then they turn around and force you
    to call THEM to get the fixes, because "this fix has not been
    been fully tested" yadda yadda. Absolute insanity.
     
    Glen, Aug 12, 2006
    #9
  10. Amen!

    Sincerely,
    Brian S. Bergin


    Please post replies here so everyone may benefit.

    msdndotnntpdotnospamdot1atcomceptdotnet (replace dot with .)
     
    Brian S. Bergin, Aug 12, 2006
    #10
  11. You don't trust MS's patching processes, but you will bypass MS and download
    files from an unknown source? That, I am sorry to say, is insanity (and I'm
    talking from the perspective of having to spend Friday resurrecting my two
    servers after things went wrong for me after installing various patches to
    my domain controller and terminal server). Despite being bitten by things
    going wrong, more than once, I will *not* download MS system files from
    third parties.

    Assembly hijacking is when the behaviour of a particular dll is changed. If
    you want to risk downloading a system file from a third party source, go for
    it, but you also have to live with the end result if things go wrong - end
    results that could, theoretically, be far worse than system crashes.

    An interesting article on assembly hijacking (where a single file's
    behaviour is changed without changing its byte size) can be seen here:
    Flash: http://www.rockyh.net/AssembHijacking/AssembHijacking.html
    Windows Media:
    http://www.rockyh.net/AssemblyHijacking/AssemblyHijacking.html

    The point of the article is sql injection attacks, but it does show you how
    a DLL file can be edited to change what it does, starting at roughly 1
    minutes, 50 seconds into the presentation.
    --

    Sandi Hardmeier
    Microsoft MVP since 1999
    http://www.ie-vista.com
    Internet Explorer Community
    http://www.microsoft.com/windows/ie/community/default.mspx
    The email address I use for newsgroups is a spam trap and does not get read.
     
    Sandi - Microsoft MVP, Aug 13, 2006
    #11
  12. An interesting article on assembly hijacking (where a single file's
    Very VERY interesting, Sandi.
    Thank you.

    --
    Vincenzo Di Russo
    Microsoft® MVP - Most Valuable Professional
    Windows - Internet Explorer since 2003
    My home: http://mvp.support.microsoft.com/
    My Blog: http://blogs.dotnethell.it/vincent/
     
    Vincenzo Di Russo [MVP], Aug 13, 2006
    #12
  13. Sandi - Microsoft MVP, Aug 13, 2006
    #13
  14. Brian S. Bergin

    Glen Guest

    Read for comprehension. I just told you I call MS for these
    updated files.
     
    Glen, Aug 13, 2006
    #14
  15. You're more than welcome Vince.

    We've just lost Rocky from the MVP ranks; he now works for Microsoft in a
    security role.

    I was at Code Camp Oz when Rocky gave that presentation - I knew what the
    audience was going to see so had the pleasure of being able to sit back and
    watch everybody's reactions - you could have heard a pin drop, and the
    effect it had on the audience was, at time, very gratifying (break out the
    champagne guys, they "get it" now).

    --

    Sandi Hardmeier
    Microsoft MVP since 1999
    http://www.ie-vista.com
    Internet Explorer Community
    http://www.microsoft.com/windows/ie/community/default.mspx
    The email address I use for newsgroups is a spam trap and does not get read.
     
    Sandi - Microsoft MVP, Aug 13, 2006
    #15
  16. You are the person who was the first (and as far as I have seen in this
    group) the only, person who has asked for an alternative download link, yes?

    "Could someone please post a link to the fixed urlmon.dll (ver.
    6.00.2800.1567)?"

    --

    Sandi Hardmeier
    Microsoft MVP since 1999
    http://www.ie-vista.com
    Internet Explorer Community
    http://www.microsoft.com/windows/ie/community/default.mspx
    The email address I use for newsgroups is a spam trap and does not get read.
     
    Sandi - Microsoft MVP, Aug 13, 2006
    #16
  17. Vincenzo Di Russo [MVP], Aug 13, 2006
    #17
  18. Brian S. Bergin

    Charlie Tame Guest

    The interesting thing is that most of the work is in the deductions made not
    the coding, basically it's another version of a "Social Engineering" attack
    isn't it. I mean sure you need to be a competent coder but at the same time
    the way in is typically a chain of very human errors caused by assumptions
    again.

    Charlie
     
    Charlie Tame, Aug 13, 2006
    #18
  19. Social engineering is a major problem, agreed.

    Many do not realise what they are potentially exposing themselves to by
    sourcing files from alternate sources simply because they don't want to call
    MS (whatever their reason for not going to them may be). We need to realise
    that it is possible to change the behaviour of a DLL in a hostile way and
    that using unknown sources for whatever reason is a risk.

    --

    Sandi Hardmeier
    Microsoft MVP since 1999
    http://www.ie-vista.com
    Internet Explorer Community
    http://www.microsoft.com/windows/ie/community/default.mspx
    The email address I use for newsgroups is a spam trap and does not get read.
     
    Sandi - Microsoft MVP, Aug 13, 2006
    #19
  20. Brian S. Bergin

    Charlie Tame Guest

    Well I passed that link on to a few friends, including out company IT folks
    so just by posting it you may have tipped a lot of people off about how some
    things they think are not exposed are in fact very exposed.

    I agree that it is ridiculous not to trust MS for updates when running an MS
    system, but I'm not sure that's what the OP was suggesting as I didn't read
    that much of the thread. I basically looked because I saw your name there
    and you usually have something useful that I either haven't seen or had
    forgotten about :) In this case I'm especially glad I did.

    It's the same as the fuss about WGA. My biggest fear is that with the
    advances made in spyware, adware and stuff like that a large number of
    pirated Vistas with some kind of timed release of a built in trojan would
    result in an internet nightmare on an unprecedented scale. What people don't
    see is that pirate sales are a limited profit, ongoing malware represents a
    longer term income, and we all know the unscrupulous are out there. And of
    course this is leaving out terrorists.

    We all know that many users don't have the knowledge to spot well produced
    pirate copies, and if there's money in the technology to make them is out
    there and available now. As a last resort to deal with malware we can at
    this time tell folks to reinstall, but what if the original media is
    contaminated, what then? Many people will not notice, it won't be "Broken"
    so they won't look to fixing it, and even if they do what do they fix it
    with? If they do spot something and fail to ask then they will simply
    reinstall.

    The alternative to WGA may well turn out to be letting the problem continue
    until ISPs can locate them and cut them off, and some foreign ISPs simply
    won't, and US Law can't do a thing about it.

    Hell, there could be a whole range of malware built in with and a few
    thousand zombies all coming online within 24 hours an unprecedented amount
    of damage could be done. Linux won't help anybody if the whole thing goes
    down for several days at a time. By this method the real perpetrator could
    remain undiscovered for long enough to do an incredible amount of damage.
    The potential for terrorism and the fact that people out there want to do it
    makes the money even more available for a big foreign operation along these
    lines. In this regard if WGA ever does become a "Kill Switch" we may all end
    up being grateful for it :)

    I honestly think there could be much more at stake here than MS profits, and
    maybe I'm making a worst case scenario but the other fear is that if MS
    can't stop this then the federal government will make a grab for control
    that people will accept, and we all know how well governments handle
    technology. I can think of nobody better to break it :)

    It seems odd to me that the very people who complain about MS insecurity now
    complain about it's implementation of security for the future. I sympathize
    with those who have suffered the inconvenience of errors of course.

    Charlie
     
    Charlie Tame, Aug 13, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.