Many anti-virus products — particularly the “Internet security suite” variety — now ship with various Web browser toolbars, plug-ins and add-ons designed to help protect the customer’s personal information and to detect malicious Web sites. Unfortunately, if designed poorly, these browser extras can actually lower the security posture of the user’s system by introducing safety and stability issues.

The last time I caught up with security researcher Alex Holden, he was showing me a nifty way to crash IE6 and prevent the user from easily reopening the badly outdated and insecure browser version ever again. Just the other day, Holden asked me to verify a crash he’d found that affects users who have Trend Micro Internet Security installed, which installs a security toolbar in both Internet Explorer and Mozilla-based browsers on Microsoft Windows.

The video here was made on a virgin install of Windows XP SP3, with the latest Firefox build and a brand new copy of Trend Micro Internet Security. Paste a really long URL into the address bar with the Trend toolbar enabled, and Firefox crashes every time. Do the same with the toolbar disabled, and the browser lets the Web site at whatever domain name you put in front of the garbage characters handle the bogus request as it should. This isn’t limited to Firefox: The same long URL crashes IE8 with the Trend toolbar enabled, although for some strange reason it fails to crash IE6. I didn’t attempt to test it against IE7.

This crash could be benign, or it may be possible to use it to attack the browser. But, as Holden said, this is a very basic — Programming Security 101-type bug — that should not be found in such a widely used security software product.

“The resulting crash of the browser may have buffer overflow conditions which would potentially open up a computer to full user-level privilege from a malicious attacker,” said Holden, director of enterprise security at Cyopsis LLC., a Denver-based security firm. “The scope and simplicity of this exploit opens up the possibilities for redirects, site links or even the shortened URLs used on popular social media sites such as Twitter and Facebook to be exploited.”

I notified Trend about this bug roughly two weeks ago. The company said it expects to ship a downloadable hotfix on Tuesday, April 13 to correct this flaw.

Update, 6:27 p.m. ET: Corrected the date to read Tuesday, April 13.

This past week, I was reminded of a conversation I had with an ethical hacker I met at the annual Defcon security conference in Las Vegas a couple of years back who showed me what remains the shortest, most elegant and reliable trick I’ve seen to crash the Internet Explorer 6 Web browser.

If you’re curious and have IE6 lying around, type or cut and paste the following into the address bar (that last character is a zero):

ms-its:%F0:

or just click this link with IE6.

Here’s a short video example of the crash that results from typing that text above into an IE6 window:

The “ms-its” bit is a reference to one of the helper extensions built into IE6. Alex Holden, the Wisconsin based researcher who showed me this crash, said the bug is the result of a pointer overflow in IE. The crash does not appear to work in newer versions of IE.

Holden said he notified Microsoft about his finding back in 2004. An e-mail thread Holden shared with krebsonsecurity.com indicates that Microsoft engineers believed there were no severe security consequences of this bug, and that it would probably be fixed in a future service pack. Obviously, it never was.

One way XP users might encounter this would be if the short code above or something like it were included in a link sent to a targeted user via instant message or e-mail. Indeed, one could imagine a computer worm that went around and changed the victim’s default home page to this short bit of code. The victim would be no longer be to get online….with IE6, anyway (although a registry hack could almost certainly fix the swapped home page).

There is one interesting possible use for this tiny snippet of crash-inducing code. Maybe someone you know and care about insists on using IE6 or refuses to upgrade to IE7 or IE8. Install Firefox or some other browser alternative, and then change their IE home page to “ms-its:%F0:” Chances are good they will never be able to open IE6 again.