We've already shown that any two orthogonal, completely unrelated bugs can be exploited together in synergy to wreak havoc far beyond the impact of either bug alone, as emergent behaviour. And then we demonstrated it again. But any good enough experience will eventually form a trilogy. (Although it hasn't stopped there, and further exploits have since been noted.)
So here we are, once more going into the breach that Internet Explorer puts in Windows. (Isn't it a shame that Internet Explorer isn't a standalone application, but part of the operating system?)
This page demonstrates another variation on the theme of emergent behaviour due to orthogonal bugs, on Windows 95 and NT systems running Internet Explorer 4.0.1. It utilises the recent Getchell object overflow bug as described to bugtraq to cause a crash after code exploiting the Pentium F00F bug (embedded here in comments) has been placed into the same memory that the processor must read its instructions from.
As a result, you may end up crashing more than just Internet Explorer 4.0.1. Change the processor or the browser, and this extreme behaviour does not emerge. Crashing a browser is remarkably easy. Crashing a processor is generally harder. But you can use one to help you do the other.
If you are running Internet Explorer 4.0.1 on an original Pentium as described above, the results may not be pleasing to you. If you're still reading this (possibly after dismissing an 'active content' warning that use of the OBJECT tag can generate if a high security level is set), count yourself lucky.
Here's the official Intel Pentium invalid instruction erratum. Microsoft's ever-growing Internet Explorer security pages may mention this at some point.
Please see our original earlier IE4.0 res overflow/Pentium orthogonal bug page and IE4.0 mk overflow/Pentium orthogonal bug page for further demonstrations of the emergent behaviour of orthogonal bugs.
Delivery of these attacks by email is also possible.
Media coverage of this page:
You may also wish to read: