Bug can crash IE 3, IE 4 beta

Microsoft (MSFT) confirmed today that a combination of factors, including encryption on a Web site, can crash certain versions of its Internet Explorer browser.

Users of IE 3.0 and beta versions of IE 4.0 might suffer annoying crashes when browsing sites that use SSL (Secure Sockets Layer) encryption and on-the-fly display of information. The bug does not expose a user's information to the network, according to Microsoft.

"This is not a security issue," said Internet Explorer product manager Kevin Unangst. "It's a memory leak in IE 3 and the IE 4 preview releases."

Microsoft confirmed the problem exists in the Windows 95 and NT versions of those browsers. The problem does not occur in the final version of IE 4.0, due to ship September 30, although Microsoft did not proactively fix the bug.

"In the process of developing and testing IE 4.0, some change of code prevented this problem from happening," Unangst said.

The company will not issue a fix for IE 3.0; instead, it will encourage users to upgrade to IE 4.0, he added.

A team of consultants from Webvision building a site for a customer discovered the bug, which needs two conditions to crash the browser. The browser must visit a Web page with SSL encryption, and that page must also be in streaming mode, meaning the browser begins to display the page before it has downloaded all of it. If a page has these two conditions, there is a possibility of a crash.

Microsoft has not tested IE 2.0 for the bug nor has it tested Macintosh and Windows 3.1 versions of the browser for it, but one of the consultants who discovered the bug said that it affects all Explorer versions except the latest build of IE 4.0, which is not publicly available.

Still, the type of Web page that could trigger the flaw is fairly common, according to one of the consultants.

"The only time we use SSL is to encrypt sensitive information, but of the SSL pages we've written, about 80 percent have the 'streaming' mode on," said Webvision senior technical consultant Craig Froelich. "Pages with [this] combination are pretty common. It's not like we're not doing anything particularly new."

Webmasters can provide a quick fix to the problem by changing their SSL-encrypted, streaming pages to nonstreaming mode, but this presents another problem.

"Rather than showing you the information as it shows up, the browser has to wait until it gets the entire page before displaying," added Froelich. "With large database queries or long pages, it's going to slow down the page, and the user could easily assume that the site or the connection is down."