I’m having a quieter-than-usual week at work this week (which is just as well considering that I spent 90 minutes of today with no internet connection thanks to a ghost in my machine/router..). So it was a bit of a shock to the system to have to swing into action mid-afternoon to tackle a bug that was crashing IE6 when it attempted to load a previously-tested-and-working web page that was supposed to go live the very next day.

My first thought was that maybe an automatic Windows Update had somehow adversely affected my install of IE6. That’s not usually my first thought, but for a previously tested and working HTML page to suddenly start crashing all by itself? Nup, no way was it my CSS. To be honest it was just as unlikely that it was a Windows Update that was at fault either, but it was worth a shot.

So I went into my XP Control Panel (“Add or Remove Programs”) and Googled the last couple of Windows updates.

Security Update for Windows XP (KB937143), installed on 15/08/2007 turned up some worrying info – apparently some guy in Germany had noticed that IE6 had started to crash “while accessing at least one site”, after installing the GDR version of the update. Maybe I was on the right track?

After a bit more Googling, I arrived at the MS support page for MS07-045: Cumulative Security Update for Internet Explorer.

Completely missing the ‘IT professionals‘ link at the top of the page (maybe that says something) and finding nothing useful anywhere else, I ended up Googling the update name and got to a page about Microsoft IE Crafted CSS Unspecified Memory Corruption, which told me of
“a flaw that may allow a malicious user to gain the same user rights as the logged in user. The issue is triggered when IE parses certain strings in CSS. It is possible for a malacious person to construct a specially crafted website which could remotely execute code on the visitor’s computer.”

I wondered who these ‘malacious’ people were? And why didn’t they just stick to the accepted label of ‘malicious’? Clearly they were social outcasts, determined to make my life harder by forcing me to rewrite my CSS so that it didn’t look like it was attempting to trick people into giving up their Facebook passwords.

A bit more Googling and a bit more info from this page which explained that “The specific vulnerability exists due to improper parsing of HTML CSS ‘float’ properties. By ordering specially crafted ‘div’ tags in a web page, memory corruption can occur leading to remote code execution.”

To cut a long story short, the page in question was debugged after I followed up the notion of improperly parsed ‘float’ properties and ended up at an old post on Eric Meyer’s site. This kicked my brain into revisiting the CSS, and after some playing around, I resolved the issue by adding a couple of lines of otherwise unnecessary CSS, to prevent a floated list from bringing the house down in IE6.

I still don’t know whether Microsoft or KB937143 were at fault, or whether the bug was always there and just waiting for the slightest encouragement, but the afternoon’s debugging has made me feel that much less secure about developing CSS for Internet Explorer.