User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1 The tag "<IMG SRC="AYB-school.jpg" width="9999999" height="9999999" />" can cause the video device driver to hang, causing a STOP(Blue Screen of Death) error. This has been tested on Win XP home using Firefox 1.0.1; and on Win XP home using Firefox 1.03, Firefox 1.04, and Internet Explorer (latest version). The exploit is way too easy to use, as it only requires an unsuspecting victim to visit the page. This can be acomplished by either by posting the link somewhere or, like what happened to me, cracking the hompage of a website (for example my website) and replacing it with a page that redirects to the exploit. Reproducible: Always Steps to Reproduce: *WARNING* following the steps results in an operating ststem crash, be sure to SAVE ALL DATA before continuing! The complete URL to the file was not included to prevent any accidents, follow the steps below to get to the page. This is the page that the redirect that was put on my website led me to. 1. Go to "http://www.scene.org:8080/redhound/" 2. Click "crash.html" Actual Results: The system froze for several seconds, then displayed a STOP error. Expected Results: There should be a reasonable size limit on the size of images to prevent this from happening. Firefox should have displayed the image at a reasonable maximum size. This should also be reported to makers of other browsers, as it works on IE, and probably works on other browsers. This has also been reported to Symantec.
Created attachment 186619 [details] Copy of exploit page and the image file. *WARNING* this results in an operating ststem crash, be sure to SAVE ALL DATA before continuing! The file crash.html has been renamed to crash.txt, rename it back to crash.html to test it. The image file is, as far as I know, harmless. It is the IMG tag that causes the crash.
This trick is making the rounds. It's fixed in the Deer Park Alpha 1 release. *** This bug has been marked as a duplicate of 289864 ***