Exploiting orthogonal bugs

the orthogonal bug adventures

We have this theory that any two orthogonal, completely unrelated bugs can be exploited together in synergy to wreak havoc far beyond the impact of either bug alone. Think of it as emergent behaviour.

This page demonstrates the most recently discovered emergent behaviour on Windows 95 systems running Internet Explorer 4 on Intel Pentium processors. It exploits both the res security hole and the Pentium F00F bug. Change the processor or the browser, and the behaviour does not emerge.

Microsoft Windows has little in the way of a security model, and lots of orthogonal bugs. We're going to see more emergent behaviour in future. The technique we use is simple; we do not advocate copying it.

If you are running Internet Explorer 4.0 on a Pentium running Windows 95, don't click on me! (The META-HTTP reload has been removed from this page pending our move from httpd to apache, which returns a different response to users of other browsers that interrupts reading of this page.)

Here are the original IE4.0 buffer overflow advisory and the official Intel erratum - Intel claim that they can fix this. Microsoft's ever-growing Internet Explorer security pages now include a patch for this problem.

A variation on this problem with wider scope has since surfaced, and is described on our IE4.0 mk bug page.

Media coverage of this page: as seen in Newsbytes


with
Powered by Spacesearch

Lloyd Wood (L.Wood@surrey.ac.uk)
last updated 2 April 1998

Where do you want to go today?