Internet Explorer is susceptible to a vulnerability where one well placed font tag will crash the browser causing a denial of service for the user. This vulnerability involves no scripting and is not affected by any security settings in the browser. View the Proof of Concept
When a font tag specifying size spans across two paragraph tags (where by it starts inside one, and end inside the next) and those paragraphs are inclosed inside a block level element containing the following style declaration
vertical-align:top; the browser will crash. The most consistent way to trigger the crash is by resizing the browser window (it seems to happen instantly on XP, but had a delayed reaction on 2k).
<div style="vertical-align:top;"> <p>First <font size="4">Paragraph</p> <p>Second </font> Paragraph</p> </div>
This vulnerability appears to be unaffected by the doctype (loose or strict).
10/26/04 : Vulnerability submitted to Microsoft
10/28/04 : BUGTRAQ ID 11536
10/28/04 : It turns out the same problem occurs with ANY of the vertical-align properties (bottom, top, sub, supper, etc...) except baseline so it has a broader scope than I previously thought. It also seems you can use ANY tag which modifies the text style (ie: strong, em, code...). The only tags that seem unaffected are pre, address, and heading tags (h1,h2...) ISS X-Force ID 17911