In association with heise online

06 January 2007, 13:50

Concurrent events throw Internet Explorer off track

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security specialist Michal Zalewski has published a demo that causes Internet Explorer 6 and 7 to crash when it reads in nested XML tags and repeatedly causes timer events. Zalewski says he cannot rule out the possibility that attackers could use concurrent events to manipulate memory and have code injected and executed. However, he does say that it would be difficult to do because the timing would have to be very exact and the transmission of the content of a website controlled very accurately, for rendering in a browser. According to Zalewski's analysis, the flaw is in XML library MSXML3.

In July of 2006, it was demonstrated that events occurring simultaneously or in quick succession in scripts, can throw a browser off track; back then, Firefox was the victim. Simultaneous XPCOM Events, controlled by JavaScript, lead to access to deleted timer objects in the memory, which would generally only cause the browser to crash, but developers say that this process at least has the potential to allow code to be injected and executed. Two months later, another hole in the synchronous rendering of content in Firefox, also discovered by Zalweski, was made public; it also caused the browser to crash due to memory violations. Once again, the developers could not ensure that this process would not allow malicious code to be injected into a system; they therefore categorized the problem as critical.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit