Explorer 4 Crash Bug (Windows 95/98/NT)

Security Hole discovered by Fabio Ciucci during the last week of October 1998.

This page is available in Italian, Japanese, German.

I discovered this bug accidentally while developing new version of Anfy, and I have not disclosed the information required to re-create the bug. However, hackers have re-created it themselves, and I disagree with their malicious use of it.

All that is required is a single 1 Kb ".class" file. It's a Java™ applet which uses Microsoft's "extentions" to the official Java™ specifications. The applet will not only crash Internet Explorer 4.0, 4.1 and IE 5 beta, it will crash the whole Windows 95/98 operating system; all running applications stop and unsaved work is lost. On Windows NT, Internet Explorer crashes, but the operating system in most cases is still usable.

Warning: Some hackers have already spread malicious version of this applet, so you may be at risk, unless you install the patch from Microsoft. Applets sent as email attachments may also crash your system. Users affected by this problem will not have an opportunity to prevent a total crash of their system and unsaved work will be lost. This is why this more than a bug, it is a security hole.

This is not a virus: This is because it can't replicate itself automatically, but has to be spread individually by malicious people, like a Trojan Horse. It can reside on an internet site you visit or it can be sent to you attacched to an e-mail, but it has to be spread intentionally (hackers can also insert the crash applet in a site without the knowledge and permission of the site owner).

ONLY NON UPDATED INTERNET EXPLORER 4 RUNNING ON WINDOWS 95/98/NT IS AT RISK: The applet will not run in a 100% pure Java™ environment, such as Netscape Navigator or using the Java™ Plugin. Java™ is a secure and reliable technology, if correctly implemented. The bug is only present in Microsoft's extensions to Java™ on Windows systems. The applet does not crash Explorer 3 or earlier, and does not affect Windows 3.1 or Apple Macintosh versions.

Related articles:


From: "DirectDraw bug causes crashes", CNET News.com:

"This is a denial-of-service problem in that it prevents you from using the system," said Microsoft product manager for platform marketing Joe Herman. "[Ciucci's] applet is hanging the system, and it's a bug that we need to correct.".


From: "Sun free to terminate Microsoft's Java™ contract", PC Week Online:

"With a ruling due anytime now in the Java™ case between Microsoft Corp. and Sun Microsystems, a key date has come and gone -- the first anniversary of the suit -- and that means Sun now has the right to terminate Microsoft's Java™ license."


From: "Finjan Issues Internet Explorer Hostile Code Alert", NEWSBYTES Top Story:

"Finjan advises customers take precautions against a serious security hole recently discovered in Microsoft's implementation of Java™ in Internet Explorer. [...] These applets can be included in any Web page, or sent via e-mail attachments. [...] by maliciously programming the Microsoft Java™ extensions, hackers can access various Windows capabilities normally inaccessible in "100% pure" Java™ environments. [...] hackers can reach various desktop resources and stop service completely. Computer users lose all unsaved work and are forced to reboot. In its variants, the Ciucci Java™ applet exploitation can also wait silently several minutes after the applet loads, and only later crash the browser, making it difficult to trace the origin of the applet".

Patches, Solutions and Protections

After a month, Microsoft released a patch.


Microsoft released a Java™ update on Dec. 7, 1998, after the preliminary sentence in the case against Sun.
Rather than making a working version the bugged extra function, Microsoft silently removed totally the whole support of directX and directDraw from Java™ (at least from standard security settings for Applets), in fact the directDraw samples from their old Java™ SDK does not work anymore. It is interesting to notice, Microsoft has not informed the users about the bug, and silently patched it, probably hoping anyone will never know it existed?
Here a couple of locations where you can download the updates:

http://www.microsoft.com/java/vm/dl_vm31.htm
http://www.microsoft.com/windows/ie/download/jvm.htm

Some antivirus companies are adding support for blocking execution of the malicious applets.

Finjan announced it's SurfinGate 4.02, an HTTP proxy able to prevent the applet from being executed.

Be sure to come back to www.anfyteam.com/iebug/ to read latest news and download patches / antiviruses.

Vulnerability Test

You can test here if your Internet Explorer is affected by the security hole.


Go to the Crash Test Page at your own risk. The risk is only for Internet Explorer users without the latest patch. With Netscape or non-Windows operating systems there are no risks.

Hackers activity monitor

Please report any site which contains malicious "Ciucci bug" applets.
Here is the list of know sites. Note: I have nothing to do with those people!


http://www.damnation.net/iecrash/IECRASH.ZIP
http://hackersclub.com/km/library/hack/iecrash/

I published those sites only after the release of Microsoft JVM patch, being concerned about spreading of these files before the existence of a defense. Anyway, the purpose of those links is to warn net surfers and antivirus companies about the various versions of the hostile applets, NOT TO DISTRIBUTE THE FILES FOR MALICIOUS USES.


If you have news about this subject, including the announcements of new antiviruses and patches for, or modified versions of the malicious applet, contact me throught the contact page on the www.anfyteam.com main site.
If you have a web site, I suggest you download the free Anfy 1.4, my award winning tool, which gives easy design capabilities to add special effects to html pages.


Site Copyright © 1997,98,99 Fabio Ciucci. Java™ and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Fabio Ciucci is independent of Sun Microsystems, Inc.