Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1998

Re: IE 4.01 bugs in Win95 & WinNT. (long)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IE 4.01 bugs in Win95 & WinNT. (long)

To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: IE 4.01 bugs in Win95 & WinNT. (long)
From: "Abe L. Getchell" <agetchelKDE.STATE.KY.US>
Date: Mon, 16 Mar 1998 13:54:39 -0500
Comments: To: David LeBlanc <dleblanciss.net>
In-Reply-To: <3.0.1.32.19980316132546.00bd9890mail.iss.net>
Reply-To: "Abe L. Getchell" <agetchelKDE.STATE.KY.US>
Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

>>Microsoft's position in this matter is, "The IE team has put this
>>bug in
>>the bug database, and it will be fixed in the next release or service
>>release."  Personally, I think that bugs like these in commercial
>>software are unacceptable, but I can understand why they took the
>>position they did.  As Russ said in an e-mail to me, "...and while GP'ing
>>your machine is not a good thing, you're not likely to return to the site
>>that caused it...".  Make of it what you will...  If you have any
>>questions, feel free to contact me at agetchelkde.state.ky.us.  Thanks
>>for listening...
>
>Unless someone can come up with some way to use these bugs to cause a stack
>overwrite, then I'd have to agree that MS is doing the right thing.  Since
>it doesn't appear to really be a security breach, and isn't something we're
>actually going to hit very often in the wild (i.e., a correctly created web
>page won't zap you), this constitutes a medium priority bug (IMHO), which
>should get fixed in the next rev, but isn't worth incurring the
>considerable expense of QAing a full dot release.

        I agree with everything you are saying, except one thing; it's not the
people creating the correctly written websites that worry me, it's the
people who may use this glitch for malicious intent.  This is why I was
hesitant about releasing what I had found in the first place.  I don't want
to cause headaches for the users, and I don't want to make people upset
with Microsoft... but people should know that this danger exists and what
to do if it should happen to them.  What should they do?  At this point not
much... don't go back to the site that gave you problems, and let the
sysadmin's of the server where the webpages reside know what is going on.
Anyways, like Russ mentioned, you probably won't go back to the site that
made your browser bomb, and these bugs simply crash your browser (and
sometimes system), so there is no immediate security hole to be worried
about... yet.  I'm still working. :-)

Abe

--------------------
Abe L. Getchell
System Support Services
Kentucky Department of Education
E-Mail: agetchelkde.state.ky.us
Voice:  502.564.2020ext225
Fax:     502.564.4695
--------------------

Prev by Date: Re: IE 4.01 bugs in Win95 & WinNT. (long)
Next by Date: Administrivia #8661
Prev by thread: Re: IE 4.01 bugs in Win95 & WinNT. (long)
Next by thread: Re: IE 4.01 bugs in Win95 & WinNT. (long)
Index(es):
- Date
- Thread