CSS-DIE
H D Moore, Matt Murphy, Aviv Raff, and Thierry Zoller released a new tool for fuzzing CSS implementations. One slightly humorous thing is that when you go to the site it will recognize your browser and displays a message related the current status of problems that have been reported. The available browsers and their respective messages are:
Unknown - Your browser is not recognized.
iCab - (no message)
Internet Explorer - Internet Explorer 6.0 is known to crash in at least one place.
Konqueror - Konqueror might crash…
Mozilla - Mozilla Firefox 1.5.0.1 has passed all CSSDIE tests without crashing :-)
OmniWeb - (no message)
Opera crashes in at least one place.
Safari - Safari might crash…
WebTV - (no message)
Soooo…. If you're running something other than Firefox 1.5.0.1 you might want to head over and try it out when you have time to let it run by itself. It is probably highly dependent on the version of the browser you are running so the more people that try it at various patch-levels and submit the results, the more vulnerabilities may be found. I tried it with Safari 2.0.4 on my iMac G5 (with the "Append all elements as a child, for each element" option checked) and it did eventually cause a crash which I submitted the crash log for. On the iBook G4 it ran for about 3 hours and then I decided that I wanted my CPU back, since it runs at 100% utilization ;)
