I've been very vocal against Microsoft's move to label Denial of Service as a stability issue rather than a security issue. I fully disagree with this idea, as availability should be just as important as any other security issue. I will say that they appear to have a sliding scale... where some Denial of Service issues are patched and treated as security issues, however I can't help but feel these should all be treated equally. This is something I've addressed in the past (here and here), however I feel the need to bring it up again.

Twice I've contact Microsoft regarding Internet Explorer. Twice I've been told that DoS isn't a security issue... I thought about writing up each issue, but instead I feel that a video may better represent these issues.

Download the AVI

Crash 1

In this video we have a IE7 install and when we visit the page IE crashes. In this case, too much input submitted to a form is the cause of the problem. To accomplish this I've simply created a long string, and used some onload javascript to set a form text input to the value of the long string and then submit the form. This causes a "non-exploitable stack exhaustion" according to Microsoft. However, I consider the browser crashing to be an exploit.

Crash 2

In this video, IE7 has been installed immediately after the SP2 install, then we install the latest updates. As you can see, IE crashes when the page is loaded. The page I visit actually wraps a popular website which causes the crash to occur (it requires being loaded a couple of times to induce the crash, so we use a iframe set to width=0 and height=0 and a meta refresh tag). These seem to be Flash related, however I can't visit the Flash website to grab the latest version (it's the page causing the crash).

I'll concede that remote code execution is more serious than denial of service, but that doesn't mean we should discount the seriousness of denial of service. As Microsoft has told me these aren't security issues, I felt I wouldn't be remiss in disclosing them now, in fact, I felt that I should disclose them. With more and more people making use of Web 2.0 applications even denial of service to a browser could have disastrous results.

As I've mentioned before... Mozilla fixes issues of this nature under a security advisory (example). If Microsoft's primary competition can do it... why can't they?