Internet Explorer is susceptible to a vulnerability where one well placed font tag will crash the browser causing a denial of service for the user. This vulnerability involves no scripting and is not affected by any security settings in the browser. View the Proof of Concept
When a font tag specifying size spans across two paragraph tags (where by it starts inside one, and end inside the next) and those paragraphs are inclosed inside a block level element containing the following style declaration vertical-align:top; the browser will crash. The most consistent way to trigger the crash is by resizing the browser window (it seems to happen instantly on XP, but had a delayed reaction on 2k).
<div style="vertical-align:top;">
<p>First <font size="4">Paragraph</p>
<p>Second </font> Paragraph</p>
</div>
This vulnerability appears to be unaffected by the doctype (loose or strict).
Systems Affected
10/26/04 : Vulnerability submitted to Microsoft
10/28/04 : BUGTRAQ ID 11536
10/28/04 : It turns out the same problem occurs with ANY of the vertical-align properties (bottom, top, sub, supper, etc…) except baseline so it has a broader scope than I previously thought. It also seems you can use ANY tag which modifies the text style (ie: strong, em, code…). The only tags that seem unaffected are pre, address, and heading tags (h1,h2…)
ISS X-Force ID 17911