Hi All - We've received a number of questions about this report and whether we were able to reproduce its claims. We have tested so far on IE 5.5 Service Pack 2 and IE 6, but have not seen the reported behavior on either platform. Moreover, it's important to be clear about what's being reported. A stack overflow is not the same thing as a buffer overrun. A stack overflow simply means that the memory allocated to the stack is exhausted. Stack overflows do not permit code to be run on the target machine; instead, they typically result in the application crashing or hanging. In the case of IE, the worst this could be used to do would be to cause IE to crash if a user visited a hostile web site. The user could resume normal operation by restarting IE and not returning to the attacker's site. Just the same, we are continuing to investigate the report. Even though the scope of a stack overflow would be subject to the limitations discussed above, if there is a stack overflow in IE we would correct it as a code quality issue. Regards, Christopher Budd Security Program Manager Microsoft Security Response Center -----Original Message----- From: tsr [mailto:tsr_hacc@gmx.net] Sent: Sunday, December 02, 2001 10:54 AM To: bugtraq@securityfocus.com Subject: Stack overflow in all Internet Explorer Versions!!
