“7”, Designed to Fail

I read how secure “7” is all the time. Here is a trivial DOS/BSOD attack against 64bit-“7” that is delivered by normal HTML via the Safari web browser. Safari runs on 5% of PCs according to NetApplicatons. “7” runs on about a third of all PCs and 3/4 of that is 64bit. That’s 1% of PCs vulnerable to a trivial HTML attack.

I recommend people use GNU/Linux which is not designed to fail.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

28 Responses to “7”, Designed to Fail

  1. oe says:

    M$ + Crapple = winning combination. Seems like Crapple has been pumping out a lot of bloatware in recent years iTunes and Safari anyone….

  2. lpbbear says:

    “Thank you both for reminding me that it is just a waste of time to talk to fools. The more times that happens, the more likely I will be to remember.”

    Spending time talking to yourselves???

  3. Kozmcrae says:

    “Thank you both for reminding me that it is just a waste of time to talk to fools.”

    Most of the time here is wasted. In case you haven’t noticed Clarence, you are saying the same things over and over and over and over……. again. Same goes for most everyone else most of the time. It’s a kind of Hell. And you’re a big part of it. There is no need to write “new” posts. They’ve all been written before, many many times. Just flip through the archives and you will see, you’ve been reliving Groundhog Day.

  4. Clarence Moon says:

    Thank you both for reminding me that it is just a waste of time to talk to fools. The more times that happens, the more likely I will be to remember.

  5. Kozmcrae says:

    “Besides, I have seen post after post describing bugs in Linux, too.”

    All from different people. You should not expect the unexpected Clarence. That’s not how an operating system is supposed to be. Sounds like you’ve been trained very well by Microsoft.

  6. oiaohm says:

    Clarence Moon the is a cite that post I told you where one was. The samba manual and the old version of it has it wrong yes that is in the repo at samba. The setup instructions of samba were copied from MS instructions. Would you mind stopping your foolish-ness you want me to put too many URL in posts. Be caught by filter.

    Basically you missed seeing a fault that existing in 9x. If you had seen it you would understand the behaviour robert was saying was not strange at all for 9x in the environment robert was talking about. Cause NetBEUI +tcp/ip result totally unstable computer if the computers were trying to use both at the same time that the MS manuals of the time said you could and recommended.

    There are sites around that still have the old incorrect information after it been corrected. Yes 15 years latter you still find sites walking you through the wrong install instructions for 9x to a NT or Samba server including the must install NetBEUI with TCP/IP and both in use that sends 9x into a tailspin so becoming totally unstable.

    Basically you are lazy Clarence Moon unskilled and a idiot who has to accuse a person of making a errors when they are stating what really happened. Sometimes they don’t know why.

    Scary enough I still know a few places still running 9x for particular things Clarence Moon. They broke the rule had a custom application made and did not get the source code. Result it don’t work on 2000 or XP it 9x only. As yet they have not had the budget to replace it. 9x is not even the oldest I have seen in the last 12 months. The oldest was Windows 3.11.

    “In any event, it does not matter at all today what sort of networking was used in Win95.” Nice myth. It does matter today when you hit the conner cases Clarence Moon. Cases you wish did not exist but are still stuck with until software is replaced.

    This is your problem Clarence Moon OS don’t die they slowly fade away and keep on turning up where you don’t want them most likely for a life time or more.

    dougman thanks for the explain that explains why some programs fail so strangely.

    As normal for most bugs that cause blue or red screens of death they are the tip of iceberg.

  7. dougman says:

    For those that asked:

    The bug happens due to a NineGrid request coming through GdiDrawStream sent on behalf of the UX Theme DLL which handles Windows Themes starting in XP and later.

    Webkit browsers (along with IE8 — but not IE9, it would seem) attempt to render HTML elements on the page using the native skin of the OS. In this case, in the
    drawControl function (see http://www.opensource.apple.com/source/WebCore/WebCore-658.28/rendering/RenderThemeWin.cpp), DrawThemeBackground is called, which handles skinning of OS controls.

    A 96 (0x60) byte buffer is sent (parameter 2 and 3 of GdiDrawStream are the size and buffer address, parameter 1 is the HDC).

    Draw Steam buffers begin with a magic value, followed by a series of commands identified by a 32-byte market. Here is the stream sent with the special iframe
    when viewed in Safari:

    44727753 = ‘DrwS’ = DrawStream Magic

    Command Buffers:

    (Open Notepad, copy/paste, save as .html) Open with Safari.

    #0: 00000000
    3b01017a // Destination DC (hdc) *** Must match HDC in GdiDrawStream argument 1 ***
    // Destination Clip (ERECTL):
    0000011b // Left
    00000011 // Top
    0000012c // Right
    0089f580 // Bottom *** Multiply by 2, and you get the “magic” value used in the iframe PoC ***
    #1: 00000001
    058506a3 // Source Surface (pso) *** Dumped the surface from kernel mode, got a 13×5 32BPP
    bitmap which is the Luna/Aero scrollbar slider control ***
    #2: 00000009
    // Destination Clip (ERECTL): *** Should match the Destination Clip of the Target
    0000011b // Left
    00000011 // Top
    0000012c // Right
    0089f580 // Bottom
    // Source Clip (ERECTL): *** Should be within the bounds of the surface (which is 13×5 in this case)
    00000000 // Left
    00000000 // Top
    0000000e // Right
    00000001 // Bottom
    // NINEGRID_BITMAP_INFO *** Documented in RDP docs. Should fit within the surface and destination.
    00000001 // Flags (DSDNG_STRETCH)
    0000000a // Left Width
    00000003 // Right Width
    00000000 // Top Height
    00000000 // Bottom Height
    00000000 // Transparent

    Here is the raw dump:

    0: kd> dds @r8 l18
    00000000`003be664 44727753
    00000000`003be668 00000000
    00000000`003be66c 2b0108d5 // HDC, this will change from dump to dump
    00000000`003be670 0000011b
    00000000`003be674 00000011
    00000000`003be678 0000012c
    00000000`003be67c 0089f580
    00000000`003be680 00000001
    00000000`003be684 018503c2 // Bitmap Surface, this will change from dump to dump
    00000000`003be688 00000009
    00000000`003be68c 0000011b
    00000000`003be690 00000011
    00000000`003be694 0000012c
    00000000`003be698 0089f580
    00000000`003be69c 00000000
    00000000`003be6a0 00000000
    00000000`003be6a4 0000000e
    00000000`003be6a8 00000001
    00000000`003be6ac 00000001
    00000000`003be6b0 0000000a
    00000000`003be6b4 00000003
    00000000`003be6b8 00000000
    00000000`003be6bc 00000000
    00000000`003be6c0 00000000

    What are you essentially seeing is an iframe that has a particularly interesting height, that when the scrollbar is being drawn and themed, a math error in the NineGrid transform causes an out-of-bounds write. This PoC would work in IE 8, but IE 8 has a well known CSS bug where it has a maximum pixel limit (around 1342177), which is why it doesn’t immediately manifest itself.

    *OTHER HEIGHTS ARE EXPLOITABLE*, and some may be small enough such that even IE 8 hits the NineGrid height corner case.

    IE9 does not seem to theme controls using UxTheme at all, and its scrollbar behavior is different from IE 8, so even though the pixel limit is no longer there, the PoC did not work. Firefox was not tested.

    *NOT ONLY IFRAMES ARE VULNERABLE*. Testing with an HTML of the same height resulted in a crash in Safari as well.

    What this means is that *any* client, local or remote, that does skinning of the controls (i.e.: almost all of them — even a button on a flash PDF) could result in a NineGrid transform that hits this bug. It’s not at all specific to WebKit.

    A browser should never crash an operating system. This is why I block javascript, have removed java, run Adblock and Ghostery in Chrome and have edited my HOSTS configuration file.

  8. Clarence Moon says:

    No cites at all, Mr. Oiaohm? Go perpetrate your foolishness to others. No one here believes you anymore. In any event, it does not matter at all today what sort of networking was used in Win95.

  9. oiaohm says:

    Clarence Moon. Did you have a NT server in the mix Clarence Moon. I guess you were operating peer to peer under 10 machines.

    The trouble I am referring to appears when you have larger networks and attempt to get around 10 machine limit with a NT server then 9x turns evil.

    Nice land mine for tech. People like you Clarence Moon used 9x without issue tech insert a NT server as requested then get blamed for bad configuration or other things because 9x does not have trouble.

    9x lose is a reference to it losing files and poor techs end up in no win arguments. The network works fine with out the server the server has to be set wrong….. yep server set perfect 9x not liking it.

    Of course there was a few parts you could remove from default install that makes 9x happier. NetBEUI for one get rid of.

    Of course to be a complete evil bit of works all MS manuals from the time told you to install NetBEUI and TCP/IP side by side it would be fine in fact was the recommend configuration.

    Even the early samba guide told you to install NetBEUI that is the mistake. Current day Samba guided tell you to remove it never place along side TCP/IP in Windows 9x because they are incompatible with each other.

    What is windows 9x default state. TCP/IP, NetBEUI and Novell Networking. Land mined that is a incompatible mix if talking to another machine that is not either 9x or Novell netware. Samba and NT server not compatible with defaults.

    Unless you go novell or know the secret handshake that was not in MS documentation at the time only appeared in MS documentation in 2000 you were not going to get NT server to behave with 9x clients.

    In fact the MS documents were telling you to install NetBEUI with TCP/ip even worse some network cards would not work without NetBEUI installed.

    One of the major cases of fun I had it two computers would not network up because one network card required NetBEUI and one network card wanted nothing todo with it(IBM card). 9x Lose issue. NT same hardware worked perfectly.

    Time of 9x I was already handling fairly large stuff.

    Yes it happened like 15 years ago Clarence Moon so I was a little rusty on what the disaster was. But the exact behaviour robert is describing is what happened if you left the NetBEUI part installed as MS documentation instructions told you todo. So made the odds of finding that problem low.

    Lets call it Historic F up that hurt a lot of people and you will hear a lot of people hating 9x over it quite well deserved thinking the documentation was wrong.

    Windows 7 the fault I pointed to has been reported over and over again of silverlight going nuts and red screen of death in Windows 7 32 and 64 bit. So far not found exactly what is going wrong. Its one of those nice hard to repeat bugs.

  10. Clarence Moon says:

    Mr. Oiaohm, you continue to wax about obscure events without any offer of a citation to validate your story. I used Windows 95 and Windows 98 on networks at the office and even at home for years without any sort of problems that you hint exist. As I remember, it was a coaxial cable with tee connectors wherever a computer needed to be attached. I do not remember any problem with it other than it took a while to transfer big files that way.

    After Windows 98, I began to use Windows 2000, which was derived from NT. It was the same price, namely “included”, as its predecessors and successors today.

    In any case, Windows 7 is what you get today and nothing that happened 15 years ago really matters to anyone buying a new computer. There are crude ways to put your concern, and most start with “You are blowing smoke up…”.

  11. Clarence Moon says:

    Some years ago, in the XP era, I got a new Dell at the office that blue-screened a couple to time per day. Dell decided that the combination of video adapter and other peripherals on the machine were incompatible and they replaced the video adapter with another model and that cured the problem. Software has bugs and that seems to be a never-ending curse.

    What is more important, I think, is that a person can get their job done more effectively with a computer, bugs or not, than without. As long as that is the case, people will buy new computers and will hope for fewer bugs.

    I think that I am more or less typical of a heavy user of computers and I am at it day and night, it seems. Once in a while, something mysterious happens but not as much as it once did. It is not going to make me quit, though, and, the way that it is now, I am not even motivated to spend the time it would take to find a cure. Besides, I have seen post after post describing bugs in Linux, too.

    Maybe they have fewer bugs than Windows, maybe not. I really don’t care enough to find out for sure. Finding out is more work than putting up with the occasional bug.


  12. Phenom says:

    I third DrLoser and Oldman. 64bit 7 with Safari installed, ready to test.

    Gosh, haven’t seen a BSOD since I had a video card with an overheating problem in the XP era.

  13. ray says:

    about the bsod in windows 8, It’s still there. It’s just also has a sad face…

  14. oiaohm says:

    Clarence Moon Windows For Workgroups in windows 3.11 worked.

    Windows 9x was when MS started marketing NT workstation version. From what I can work out Windows 9x network stack was basically shot in what appears intentional to force up-selling of Windows NT workstations.

    Windows NT 3.1 that lines up with Workgroups in windows 3.11 does not have a workstation model.

    Clarence Moon interesting right. Windows NT 3.5 that was released in alignment with Windows 95 has a workstation model. Yes the miss behaviour of the 9x line is nice and expected. MS wanted to sell Windows NT workstation to business wanting to network in the time of Windows 9x. So Windows 9x working perfectly while networked was not a suitable outcome for Microsoft profit. 9x was the sampler of what Windows networking could do. To try the full cherry you had to pay for Windows NT workstation.

    The take over in the time of 9x OS is like munich. Munich was a NT workstation operation.

    Yes the 9x Lose was not coined by the FOSS world it was coined by the people upgrading there networks to NT Workstations because it suxed so much.

    Clarence Moon end of the 9x line Novell sales fell straight threw the floor.

    History is history you never checked on what was going on in 9x time frame to see why running it networked was kinda stupid. MS had no interest in making 9x work correctly once networked. They had a interest to make sure it would not. You want to upsell right you cannot upsell from something that works perfectly.

  15. oldman says:

    And I will even install (Gag) safari on my systems to coo-berate what Dr. Loser finds.

    What say you Pog?

  16. Dr Loser says:

    I’m still waiting for a link, Robert. I’ve even downloaded Safari in preparation. And, as usual, Oiaohm’s contribution to the conversation was (shall we say) less than helpful.

    OK, I’ve got my Safari on my Windows 7 laptop. In order to get a BSOD, what do I do next? Step by step, please. If you’ve tested it yourself, I’m happy to follow your steps; otherwise I’d like a link.

    Not some hysterical teeny-bopper anecdote.

    It’s been quite a while since I’ve seen a BSOD. I kind of miss the silly buggers.

  17. Clarence Moon says:

    Once again you make up some sort of obscure claim and offer no corroborating cites, Mr. Oiaohm. When anyone has bothered with you, you have been discredited at every turn.

    When Windows For Workgroups first appeared, Novell Netware started its long period of decline. No such problems ever stemmed the tide of Windows take-over of client side networking.

  18. oiaohm says:

    Clarence Moon I know the issue Robert Pogson is refering to it has a signature.

    Networked windows 9x. The thing was completely evil for losing documents and crashing at random will and being fully touchy on numbers of applications open.

    Clarence Moon I guess you were running it stand alone.

    Lot of business were running NT workstations in the time of 9x due to the fact network 9x and it turned completely evil wanting to eat you alive unless of course you paid for novel netware then 9x magically worked.

    9x to a windows NT server you ass was toast. Yes 9x hell explains why novel was so popular before the year 2000.

  19. Clarence Moon says:

    I don’t think that you are reacting in a normal way to this issue, Mr. Pogson. If I run some application and it crashes my computer when other applications work just fine, my first thought is to find an alternative application to the one that is failing. I am sure that Apple has already provided a fix to Safari by now and does not relish the shame associated with having a widely known defect in their product.

    Had the Firefox or Chrome browser had the same problem, I think that it would have been fixed quickly also.

    Your positiion is equally weak in regard to seeing this defect as an “attack”. If someone puts a command on their web page that is contrived to cause this failure for unsuspecting users, the web site owner is exposed to the world as a malicious sort who is violating a variety of laws on the books. The web site would, I think, be easy enough to trace to the perpetrator who would have little defense to a prosecution.

    I have been using Windows since the Windows 3 days and I have never had the sort of experiences that you relate as “every 15 minutes” with extreme care or “a minute or two” without. Such a shaky performance would certainly have prevented such universal acceptance of Windows as has taken place.

  20. @Dyl: The first year I was hired to be a computer teacher I sat down to explore Lose ’98 in my lab. If I was very polite and never opened more than a few windows in my browser and never ran the word-processor and browser together, it would take 15 minutes of so to crash the system. If I just sat down and used the computer assuming Lose ’98 would manage resources, it would crash within a minute or so. It just did not manage the resources. I looked around and you could download an app to warn you when Lose ’98 was going to crash so you could reboot. It was as if all the hired help at M$ had never taken Comp Sci 101 and learned to know and to avoid disaster. Every hour one of my students would lose a file. We built a GNU/Linux terminal server and used the machines as thin clients and no one lost a file for the rest of the year.

    That anyone would express any loyalty or respect an organization that created that kind of software and charged money for it makes me question whether there is rational life on Earth.

  21. One of the things I immediately loved about GNU/Linux is that an app crashing did not bring down the system. That other OS still does not have that right.

  22. lpbbear says:

    “Safari causes a BSOD on Windows? Any other browser doesn’t have this problem? Oh, must be Windows fault.”

    ANYTHING causes a BSOD on Windows! Almost certainly must the fault of ANYTHING……but Windows. (rolls eyes)

  23. oiaohm says:


    Robert Pogson you missed the best ones. Blue Screen of death is not a full stop under Windows 7. They are just application screwed up messages.

    Yes the Red Screen of Death from Sliverlight running in Internet Explorer on 64 bit Windows 7 kinda shows how weak the sandboxing was. Problem is the malfunction inside Sliverlight is still like at random.

    The red screens of death that exist show that Windows 7 is not secure. Blue screen of death application is still contained under Windows 7.

    Yes MS is being confusing and for Windows 8 the death screen changes to a black screen of death. Very much in look to a Linux kernel panic.

    Vista and 7 death screen red.
    XP and before its blue.

    Dr Loser click on the view in youtube the directions to set the bug off are in the comment.

    Now setting the silverlight I kill windows off that is like being hit by lighting. One day without any reason account every time you visit a particular silverlight driven site the computer red screens.

    Sport of windows random bugs.

  24. Dr Loser says:

    This is a what, sorry?

    Link please. I’d be more than happy to try it out.

  25. Dyl says:

    No OS should allow buggy software, regardless of it’s source or purpose, to cause the OS to crash.
    Period. Full Stop.

    Buggy software happens, and if the OS can not handle buggy software without crashing the whole system, it’s the OS’s fault, not the software.

  26. Clarence Moon says:

    That was meant to say “when the Safari browser is run under Linux or OS X”.

  27. Clarence Moon says:

    What happens when the Safari browser This may just be a problem with Safari and Apple needs to fix it.

  28. JairJy says:

    Safari causes a BSOD on Windows? Any other browser doesn’t have this problem? Oh, must be Windows fault.

Leave a Reply