Extending the orthogonal bugs trilogy - part IV

the orthogonal bug adventures

We've already documented a trilogy of orthogonal bugs where a buggy browser is used to crash a buggy processor:

We thought that was it.

But it wasn't.

This page demonstrates yet another variation on the theme of emergent behaviour due to orthogonal bugs, on Windows 95 and NT systems running Internet Explorer 4 or Outlook Express. It utilises the recent EMBED tag overflow bug as described to bugtraq by George Guninski to cause an overflow after code exploiting the Pentium F00F bug has been placed into the same memory that the processor must read its instructions from.

We've done all this before. We won't labour the point.

Microsoft's ever-growing Internet Explorer security pages mention this problem, and a patch is now available from their EMBED tag issue fix page. That page says:

It's difficult, but possible, for the page to then run code in memory on that machine.
[..]
There have been no reports of any customer being affected by this bug.

Er, right. Well, large corporations are free to say whatever they like. Whatever.

Oh, by the way, do please see our original earlier IE4.0 res overflow/Pentium orthogonal bug page, our IE4.0 mk overflow/Pentium orthogonal bug page, and our IE4 object crash page for further demonstrations of the emergent behaviour of orthogonal bugs.

Are customers affected? You be the judge! You may also wish to read:

Of course, Netscape has its own problems.

with
Powered by Spacesearch

Lloyd Wood (L.Wood@surrey.ac.uk)
last updated 28 April 1998

Where do you want to go today?