This past week, I was reminded of a conversation I had with an ethical hacker I met at the annual Defcon security conference in Las Vegas a couple of years back who showed me what remains the shortest, most elegant and reliable trick I’ve seen to crash the Internet Explorer 6 Web browser.
If you’re curious and have IE6 lying around, type or cut and paste the following into the address bar (that last character is a zero):
ms-its:%F0:
or just click this link with IE6.
Here’s a short video example of the crash that results from typing that text above into an IE6 window:
The “ms-its” bit is a reference to one of the helper extensions built into IE6. Alex Holden, the Wisconsin based researcher who showed me this crash, said the bug is the result of a pointer overflow in IE. The crash does not appear to work in newer versions of IE.
Holden said he notified Microsoft about his finding back in 2004. An e-mail thread Holden shared with krebsonsecurity.com indicates that Microsoft engineers believed there were no severe security consequences of this bug, and that it would probably be fixed in a future service pack. Obviously, it never was.
One way XP users might encounter this would be if the short code above or something like it were included in a link sent to a targeted user via instant message or e-mail. Indeed, one could imagine a computer worm that went around and changed the victim’s default home page to this short bit of code. The victim would be no longer be to get online….with IE6, anyway (although a registry hack could almost certainly fix the swapped home page).
There is one interesting possible use for this tiny snippet of crash-inducing code. Maybe someone you know and care about insists on using IE6 or refuses to upgrade to IE7 or IE8. Install Firefox or some other browser alternative, and then change their IE home page to “ms-its:%F0:” Chances are good they will never be able to open IE6 again.
Tags: alex holden, defcon, ie6, internet explorer, ms-its
9(unknown*no*no*0)&guid=ON){kind=small}
Unfortunately certain organizations think that installing *other* browsers besides IE6 is a security threat. Sigh. Funny tip, though… I know a few people who would go absolutely nuts with this.
I use Firefox exclusively. Haven’t opened IE in any version in months (though it’s updated automatically) and only then when I’m on one of the MS websites that require it. I’ve been told I can’t uninstall it (which I would do just for spite). Yet I find temp files in it — sometimes more than in Firefox — when I run CCleaner. Does that mean it’s somehow operating in the background, and does this pose a security threat?
>Yet I find temp files in it — sometimes more than in Firefox — when I run CCleaner. Does that mean it’s somehow operating in the background, and does this pose a security threat?
Applications can use the IE rendering engine for internet functions or to display local help. Although not a high security threat, any vulnerabilities in the IE engine could be exploited if the application displays content from the internet.
You may be able to open the temp files to figure out which application(s) use the IE engine.
Thanks — I’ll try that.
Running Windows Media Player will result in cookies being added to your IE temporary files folder.
Great blog, Brian.
FWIW changing the home page in any flavour of IE on Windows doesn’t require a registry hack — just open the Control Panel applet for “Internet Settings” and change it there.
FWIW #2: if IE6 is the flavour of IE on your box, running the Windows Update option on the Start Menu starts IE6 bypassing the home page. In fact, even if you “disable” IEn on any version of XP, that program is still there. Even if it has been yanked off the Start Menu, Start -> Run -> wupdmgr.exe will fire up IE and take you to your chosen Windows Update or Microsoft Update page.
Nice. Thanks for the info, Angus
I just looked for the home page setting in the Internet Options applet. It was there when I opened Internet Options from the Tools menu inside Internet Explorer. It was not there when I opened Internet Options from the Control Panel.
(I am using XP SP3 and IE8, all up to date. I might have a chance to try this with IE6 next week.)
Is this because Internet Options only makes settings for all users? (That would make sense — the administrator can enforce security on the limited users and guests; obviously homepage should be left up to each user.) Do earlier versions or service packs do it differently?
Interesting, you must be running a different IE8 than I am
. I just checked my two IE6 VMs (on XP and Win2k), my IE7 machine (XP Pro) and my IE8 machine (Win7 Pro) and setting the home page is the first option on the “General” tab of “Internet Options” as opened from the “Control Panel” for all of them.
If you have any IE explorer icon on your desktop it is possible to edit the properties of IE without actually opening the program and going to the homepage.
Not that the average user that still has IE6 would even know what ‘right click’ is.
My Federal Agency still uses IE6 exclusively; no other browsers allowed. We’re not supposed to surf the web.
I can just see webmasters trying to create a check for IE6 and then redirecting such users to that address automatically when they arrive.
IE6 under WINE does not crash.
Did he give you any reason why “ms-its:%F0:” crashes the browser?
What program does the “ms-its” protocol fire up on IE6? Did you try other ascii codes (the “%F0″) on it?
For many years there was a simple c program that would reliably crash any Windows machine (through Win 200,IIRC) by writing a few (say, 3) characters to the screen buffer, then writing several (more than 3) backspace characters to it, thus corrupting the memory.
Like Krebs said: 0 not o,
omg Georgia is a horrible font!
OK, so does the “ms-its:%F0” trick work in the XP Mode environment?
To illustrate XP Mode, Wikipedia shows a screenshot entitled “Internet Explorer versions 6, 7, and 8 run concurrently on a Windows 7 desktop using Windows XP Mode”!
I guess this is useful to web designers.
http://en.wikipedia.org/wiki/XP_Mode#Windows_XP_Mode
or search for XP Mode in Wikipedia.
FYI, Interesting, in Win 7 the XPMode VPC/VHD licensed download still uses IE6.
DL
get the heck outta here! really???
WTF !
Very sorry. I accidentally and stupidly made my replies to this comment under the previous one. Embarassing. Hanging my head in shame.
I still have IE6 on an old (over 10 years) laptop that runs Windows 2000 and has very limited resources (only 196 MB of RAM and 5GB hard drive–it’s old).
I have not updated the IE version because I’m afraid the computer could not handle the demands of IE7 or IE8. I open IE6 only when I’m forced to by Microsoft, and I have the firewall set to allow IE6 access to the Internet only when I actually “allow” it on the popup.
The laptop is also set for automatic updates from Microsoft.
(1) How vulnerable does the IE6 make me under those circumstances?
(2) Am I wrong about the old, limited-resource laptop running Windows 2000 being able to handle IE7 or IE8?
Windows 2000 does not support anything newer than IE6. If you must use the Internet from that machine, absolutely you should dump IE in favour of Firefox with NoScript and AdBlock Plus. The only reason I use IE is to run Windows Update, and to test websites that I develop for compatibility.
@Angus S-F
Thank you for the information that Windows 2000 limits my ability to upgrade from IE6 to a safer version of Internet Explorer.
Of course I use Firefox for browsing when I must use this old laptop. As I said, “I open IE6 only when I’m forced to by Microsoft, and I have the firewall set to allow IE6 access to the Internet only when I actually ‘allow’ it on the [firewall's] popup.”
But it appears that just having a program on one’s computer makes one vulnerable, even if the program is unused (e.g., an old Real Player without updates).
What steps can I take to protect myself if I’m stuck with IE6? (Considering that my tweaking skills are limited–probably at the moderately experienced geezer level,)
@Kensington – WRT “what steps can I take”, I would make sure I had a good backup system and I USED IT so that in the event of a problem, I didn’t lose data. I would also set up a limited user and run as that limited user most of the time — in fact, that’s what I do now, although I’m on XP. If I were truly paranoid, I would spend a little money and buy Sandboxie – Sandbox software for application isolation and secure Web browsing – from
http://www.sandboxie.com/ and I would run my email and Firefox from within the sandbox. HTH.
Some versions of IE6 will crash with even more elegant (6 character) version of this exploit:
its:©:
I’m surprised no one’s found a way to make it BSOD the entire system.
javascript:window()
this does the same in IE 6
There are 2 other ways to get around a bad home page with internet explorer.
1. If it is your default browser, from a command window run: start http://www.yahoo.com/
2. If not your default browser. Run iexplore directly.
If it is in you PATH, “iexplore http://www.yahoo.com/” will work. If not in your PATH, on XP, change your directory to C:\Program Files\Internet Explorer and run the above command.
By the way, the start command works for any file type that is associated with an application on Windows.
You should mention that these tricks will work with any Internet URL.
A third method, if IE is your default browser,
is to double-click on the icon for any Internet URL.
This goes to show that this trick does not completely shut down IE. But it will stymie those users who believe that the only way to surf the Internet is to go to the homepage first, always the default set by Microsoft or their ISP.
The hospital system where I work is running IE6 on all the PCs its employees use to access the financial and medical records of its 3.3 million patients (and where overnight employees may be surfing the web while sitting at the desk answering patient call bells). Scary. The IT people feel no one should use anything other than Internet Explorer because it’s “the industry standard.” The same IT folks seemed to think I was overly paranoid when I kept calling in trouble tickets when the antivirus software on the wall mounted monitors were all displaying warnings that conficker had been blocked from installing from some other computer on the network.
Well right.I have used IE6 earlier and it includes all prior patches and updates as well as enhancements to security and reliability.Ne ways i will keep looking for more information and reviews.
how about that: