IE 4.0 Bug (Crash With Frames)

Reported March 19, 1998 Thomas Weidauer on BugTraq

Systems Affected

Windows 95, Windows NT running IE4.0

Description:

>I just found a way to crash IE 4 using frames:
Make a file "test.htm" with the following content and view it with IE 4. Under Win95 IE 4 will crash.

IE 4 BUG

<br>

Comments:

Rommetveit Per Stuve (romper@HS.NKI.NO) replied on March 19, 1998:
What happens here is that there is a loop. test.htm creates a page with two frames, the source for these two frames is test.htm, which creates another two frames, and so on and so on.

I tested this on a Dell Latitude XPI P133 ST with 40MB RAM. The laptop is running Windows NT Workstation build 1381 with service pack 3 applied. No hotfixes. The browser I tested with was Internet Explorer 4.0.

Before I enter test.htm into the address window of IE 4.0, only IE 4.0 itself, Windows NT Task Manager, and Eudora Pro 3.0 E-mail client are running. This is what happens when I load the test.htm page into IE 4.0:
The CPU Usage bar in Windows NT Task Manager goes to 100%.
The MEM Usage bar increases very fast.
The Internet Explorer 4.0 application is reported as not responding.

The only way to end IE 4.0 is to end it with the help of Task Manager and kill the application or the process, or use kill via the command line. The CPU Usage stays put around 80 to 100% for 1 minute, then it goes up and down. The MEM Usage increases all the time. Then CPU Usage goes stable at 15-25% for a long while.
After 37 minutes and a lot of disk trashing I get a message box saying:
System Process - Out of Virtual Memory
Your system is running low on virtual memory. Please close some applications. You can then start the System option in the Control Panel and choose the Virtual Memory button to create an additional paging file or to increase the size of your current paging file.

Commit Charge dropped from 133 784K to 46 528K when i ended IE 4.0.
This is most certainly a bug in IE 4.0. I don"t know if it is fixed in newer releases or if it is an bugfix available. And I don"t have access to the web now, so I can"t check.

Just out of pure curiosity I wanted to load the same file, test.htm, into Netscape Navigator 4.0 to test if the bug was there too. It was not. I got four frames, as I would expect from a correct point of view.

System Administrator (root@ATRIUM.CARDIMA.COM) replied on March 19, 1998:
I found that the loop is not necessary. Name the page ie4test.html and leave the frame links as test.htm (which need not exist), and it still crashes IE4. The entire content is inside a HTML comment anyway, so the correct action for ANY browser is to treat the entire page as a no-op.

Aleph One (aleph1@DFW.NET) reported on March 20, 1998:
It also seems to affect Netscape Navigator 3.X and Netscape Communicator 4.X on all platforms. It may not crash every time but it does so very consistently. It crashed when you load some page after the page containing the recursive frames. If the page you load after is already in you cache your chances of crashing seem to be greater. YMMV.

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by: Weld Pond (weld@L0PHT.COM)
Posted here at NTSecurity.Net