HTML vulnerabilities alert



December 25, 2005


If you thought the security holes in Internet Explorer were large enough to
push a G-class star through, then you haven't seen anything yet. A new
report released by the prestigious firm of Internet Security ® Us, Inc.,
warns that "organic-based holistic HTML parsing systems" (i.e. the human
brain) pose the greatest threat to Internet security.

Many geeks have tried to avoid the growing insecurity of mainstream Web
browsers by rendering HTML pages directly in their heads. However, it
appears this solution is actually worse than the disease.

"Whether you access the Web through wget, telnet, avian carriers, or by
whistling directly into an acoustic modem, you cannot escape from this
vulnerability," said Wolf Kryir, spokesperson at Internet Security ® Us. "We
have escalated the criticality of this problem from MODERATE to WE'RE ALL
SCREWED."

The exploit is made possibly by the fact that the entire brain runs under a
'root' account that has full privileges. "As a result of this design flaw,
once an attacker gains a foothold inside the brain's wetware, the entire
body is then ready for their evil bidding."

Potential examples of this vulnerability include:

* Daniel Robbins agreeing to work for Microsoft
* Eric S. Raymond choosing the BSD license over the GPL
* Microsoft engineers embracing security (the jury is still out on this
one)
* Top executives at Novell dropping KDE support
* Mac OS X developers embracing Intel hardware
* Scott McNealy's erratic business decisions
* Two words: Darl McBride

One confirmed victim explained how his brain became rooted: "One minute I'm
surfing a certain triple-X website for, ah, research purposes, and the next
thing I know, I have this uncontrollable urge to rush out to a Claw-Mart
Supercenter and buy 100 copies of a tabloid magazine with the headline
'Elvis Spotted On Mars' splashed across the cover!"

The researchers at Internet Security ® Us have been unable to determine the
exact sequence of HTML tags that cause the vulnerability. They suspect that
the exploit code looks something like:

<execute mode="root" timeframe="now">
Convert your company into a publicly-traded lawsuit by filing bogus suits
against your former partners.
</execute>

or:

<hypnotize control="total">
<!-- You are getting very sleepy.
You are now under our control. -->
<suggestion implement="now">
Join the Dark Side. Microsoft is where you want to go today.
</suggestion></hypnotize>

It's also possible that the offending code is more subtle, consisting of a
certain combination of nested HTML tags or recursive JavaScript routines
that leave the user's head spinning.

While numerous people have apparently fallen victim to the attack, no
examples have been spotted in the wild. "Until a patch is developed for this
problem, we strongly advise against using brain-based parsing technologies
for surfing the Web. At the very least, make sure you reconfigure your
wetware to ignore all extraneous HTML comments, JavaScript code blocks, and
Flash applets."

.



Relevant Pages

  • Re: Please help with pop-ups!!
    ... Sometimes I'm not on the internet ... A1) No. Microsoft NEVER sends emails with security update attachments. ... pages where you can access Windows Update, download patches, or request ...
    (microsoft.public.security)
  • Microsoft Releases Security Update
    ... Microsoft Releases Security Update ... interim security update Friday to protect users of its ... attacks to cripple the Internet. ...
    (microsoft.public.security)
  • RE: ConnectComputer - Permission Denied
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... >> This issue is probably a security problem that the ConnectComputer ... In IE, go to Tools, Internet Options, Security. ...
    (microsoft.public.windows.server.sbs)
  • Risks Digest 27.65
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Harvard student tried to dodge exam with bomb hoax ... Someone's Been Siphoning Data Through a Huge Security Hole in the Internet ...
    (comp.risks)
  • Re: Microsoft Browser Under Scrutiny
    ... I already know this, I subscribe to Microsoft Security Updates, and I have ... especially Outlook and Internet Explorer. ... > ubiquitous Internet Explorer browser. ...
    (microsoft.public.windowsxp.general)