Tuesday, October 19, 2004

Malformed HTML and other booboos

http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0

That is a Bugtraq entry by Michal Zalewski pointing to a tool which creates tiny fragments of malformed HTML (Careful with that link, it may crash your browser). These fragments seem to cause crashes and unresponsiveness in all browsers except Internet Explorer. I tried some examples out with Mozilla Firefox 1.0PR and sure enough there were crashes.

People may say, (typically the Open Source apologist, Slashdot crowd) that it's just crashes and it's not a big deal. It is a big deal. If you know input to make a program crash then it's turned into a denial-of-service attack. It would be interesting to see how many bugs are reported in the Mozilla buglist as a result of this tool, and how quickly they get fixed. My guess (and hope) is that the Mozilla developers will work really hard to fix these bugs quickly to maintain the momentum that Firefox has gained.

This makes for an interesting observation. Apparently IE's HTML rendering engine is much more robust than that of its competitors. Why is IE so maligned for security concerns then? It's because of IE's solid integration with Windows and a poor UI for installing and uninstalling ActiveX controls. Any vulnerability in IE can quickly become a vulnerability in Windows (and most vulnerabilities for IE do try to compromise the users local machine). And most users blindly install ActiveX controls without checking where they come from.

To Microsoft's credit, the ActiveX control UI problem is mostly fixed with WindowsXP Service Pack 2. And Service Pack 2 has also got a built in popup-blocker. All Microsoft needs to do now is to implement a good and highly customizable UI for tabbed browsing and I'll be (maybe) willing to leave Firefox. Keep in mind also however that popup-blocking and ActiveX UI improvements in IE are only available for WindowsXP. If you use Windows 2000 then you are probably better off with Mozilla Firefox 1.0PR.

No comments: