|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: XML in IE 5.0
Subject: Re: XML in IE 5.0
From: Mike Brown (mike
HYPERREAL.ORG)
Date: Thu Jan 13 2000 - 21:04:29 CST
- Next message: Michael DeSimone: "Re: ICQ Buffer Overflow Exploit"
- Previous message: Kurt Seifried: "Re: Anyone can take over virtually any domain on the net..."
- In reply to: Mikael Olsson: "Re: XML in IE 5.0"
- Next in thread: Ryan Russell: "Re: XML in IE 5.0"
- Reply: Mike Brown: "Re: XML in IE 5.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mikael Olsson wrote:
> > I also don't see what this potential bug in the parser has to do with
> > computer security.
>
> A-hem.
>
> "Since we should be able to rely upon everyone sending us
> well-formed and validated data that conform to all standards,
> it doesn't matter if the software that we use to receive it
> is crappy. No one would willingly do us any harm!"
>
> (I'm sorry about the harsh tone, but, to me, that's the sum total
> of what you're saying?)
Not really. I'm not excusing the bug. They should fix it. I'm just saying
that in my opinion, being able to send a browser some data that makes it
hang doesn't necessarily constitute a denial of services. You can still
close out of the browser and probably not lose much available memory, I
assume, and no other services are affected other than the one browser
process.
You can do the same thing to Netscape Navigator (funny how *their* bugs
are less offensive to people) by making a valid HTML document (of course,
"valid HTML" still has a lot of leeway) containing nested tables or lists,
about 15 levels deep. I have an example of this at:
http://www.skew.org/xml/tree_viewers/sample_output.html
(not a plug; just don't expect the page to load in most versions of
Navigator)
> I do agree that this particular bug won't "compromise" your
> system per se, but what about continually mailing large XML
> to someone using Outlook or some other mail software that
> uses MSIE to display HTML/XML?
Good point. I didn't think of that. MSIE's rendering engine is available
for use by other applications, so they'd potentially be affected as well.
Too bad this wasn't mentioned in the original post.
Of course, along those same lines, continually mailing large files can
cause many problems when disks start filling up.
- Next message: Michael DeSimone: "Re: ICQ Buffer Overflow Exploit"
- Previous message: Kurt Seifried: "Re: Anyone can take over virtually any domain on the net..."
- In reply to: Mikael Olsson: "Re: XML in IE 5.0"
- Next in thread: Ryan Russell: "Re: XML in IE 5.0"
- Reply: Mike Brown: "Re: XML in IE 5.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Fri Jan 14 2000 - 23:22:27 CST