IE vertical-align:top vulnerability
Internet Explorer is susceptible to a vulnerability where one well placed font tag will crash the browser causing a denial of service for the user. This vulnerability involves no scripting and is not affected by any security settings in the browser. View the Proof of Concept
Analysis
When a font tag specifying size spans across two paragraph tags (where by it starts inside one, and end inside the next) and those paragraphs are inclosed inside a block level element containing the following style declaration vertical-align:top; the browser will crash. The most consistent way to trigger the crash is by resizing the browser window (it seems to happen instantly on XP, but had a delayed reaction on 2k).
<div style="vertical-align:top;">
<p>First <font size="4">Paragraph</p>
<p>Second </font> Paragraph</p>
</div>
This vulnerability appears to be unaffected by the doctype (loose or strict).
Systems Affected
- IE 6.0 SP2 on Windows XP
- IE 6.0.2 on Windows 2000
- IE 7b2 Windows XP
Update
10/26/04 : Vulnerability submitted to Microsoft
10/28/04 : BUGTRAQ ID 11536
10/28/04 : It turns out the same problem occurs with ANY of the vertical-align properties (bottom, top, sub, supper, etc…) except baseline so it has a broader scope than I previously thought. It also seems you can use ANY tag which modifies the text style (ie: strong, em, code…). The only tags that seem unaffected are pre, address, and heading tags (h1,h2…)
ISS X-Force ID 17911
4 years, 8 months ago
does not work on xp pro sp2 IE 6sp2.
4 years, 8 months ago
Does not work on IE 5.50 on Win98SE either
4 years, 5 months ago
Only works if a MS-style CR is also inserted between the font markers. Hand edit the file without any CRLF, or with Composer (uses Unix-style CR/LF) — and the magic is gone.
4 years, 2 months ago
This still crashed my XP Pro /w IE6 SP2 as of March 21st, 2005.
3 years, 5 months ago
i don’t know but ie7b2 is crashing on this page
3 years, 4 months ago
Yes, it works on my IE6 SP2. MS need to do something
3 years, 3 months ago
LOL it works fine on my IE6 sp1 on Windows XP Pro SP2 and it didnt crash
2 years, 10 months ago
It made my IE 6.0.2900 browser crash and I am running XP sp2…that sucks…
2 years, 8 months ago
Works (where “works” is defined as “browser crashes on loading proof of concept page”) on XP/SP2 + IE 6.0.2900.2180.xpspsp2gdr.050301-1519
where do they get these version numbers from? /dev/urandom?
Looking at a string like taht you’d think there was time to get CSS2 out the door.
Btw on XP in Ffox the text cursor isn’t visible in this textarea for me. No biggy. I’m just using this horrid XP box to debug layout spaz anyway :)
1 year, 10 months ago
Anyone know if this is still an issue? I have never heard this before, and not sure that I have any code anywhere like this, but before I go and waste time looking for it, would love to know if MS has fixed.
1 year, 10 months ago
@Jim: looks like this was finally addressed in IE7