IE vertical-align:top vulnerability

by @jehiah on 2004-10-26 00:03UTC
Filed under: All , HTML , IE , Web , Security

Internet Explorer is susceptible to a vulnerability where one well placed font tag will crash the browser causing a denial of service for the user. This vulnerability involves no scripting and is not affected by any security settings in the browser. View the Proof of Concept

Analysis

When a font tag specifying size spans across two paragraph tags (where by it starts inside one, and end inside the next) and those paragraphs are inclosed inside a block level element containing the following style declaration vertical-align:top; the browser will crash. The most consistent way to trigger the crash is by resizing the browser window (it seems to happen instantly on XP, but had a delayed reaction on 2k).

<div style="vertical-align:top;">
<p>First <font size="4">Paragraph</p>
<p>Second </font> Paragraph</p>
</div>

This vulnerability appears to be unaffected by the doctype (loose or strict).

Systems Affected

  • IE 6.0 SP2 on Windows XP
  • IE 6.0.2 on Windows 2000
  • IE 7b2 Windows XP

Update

10/26/04 : Vulnerability submitted to Microsoft
10/28/04 : BUGTRAQ ID 11536
10/28/04 : It turns out the same problem occurs with ANY of the vertical-align properties (bottom, top, sub, supper, etc…) except baseline so it has a broader scope than I previously thought. It also seems you can use ANY tag which modifies the text style (ie: strong, em, code…). The only tags that seem unaffected are pre, address, and heading tags (h1,h2…) ISS X-Force ID 17911

Subscribe via RSS ı Email
Jehiah Czebotar