RE: Stack overflow in all Internet Explorer Versions!!

["Microsoft Security Response Center" <secure () microsoft com>]

Hi All -

We've received a number of questions about this report and whether we
were able to reproduce its claims.  We have tested so far on IE 5.5
Service Pack 2 and IE 6, but have not seen the reported behavior on
either platform.

Moreover, it's important to be clear about what's being reported.  A
stack overflow is not the same thing as a buffer overrun.  A stack
overflow simply means that the memory allocated to the stack is
exhausted.  Stack overflows do not permit code to be run on the target
machine; instead, they typically result in the application crashing or
hanging.  In the case of IE, the worst this could be used to do would be
to cause IE to crash if a user visited a hostile web site.  The user
could resume normal operation by restarting IE and not returning to the
attacker's site.

Just the same, we are continuing to investigate the report.  Even though
the scope of a stack overflow would be subject to the limitations
discussed above, if there is a stack overflow in IE we would correct it
as a code quality issue.  

Regards,
Christopher Budd
Security Program Manager
Microsoft Security Response Center

-----Original Message-----
From: tsr [mailto:tsr_hacc () gmx net] 
Sent: Sunday, December 02, 2001 10:54 AM
To: bugtraq () securityfocus com
Subject: Stack overflow in all Internet Explorer Versions!!