Bugtraq mailing list archives
MSIE 5 favicon bug
From: flaviovs () CENTROIN COM BR (Flavio Veloso)
Date: Mon, 3 May 1999 16:06:10 -0300
Hi folks. When MSIE 5 users bookmark a page, the browser will request a file named "favicon.ico" which is to be used in the "Favorites" menu of the browser. Unfortunately MSIE 5 doesn't check the file integrity and crash if faced with a bad-formed icon file. Upon crashing the stack gets filled with information from the icon file itself, so it may be possible to run code on the client machine, tough I didn't test it. Microsoft was notified twice about this issue via the "Report a Bug" form on their web site. The first time about one month ago, the second time about two weeks ago. I didn't receive back any reply. More information about this bug (plus another privacy issue about the "favicon.ico" file) is available at http://web.cip.com.br/flaviovs/sec/favicon/index.html. -- Flavio
Current thread:
- Re: Possible Linuxconf Vulnerability Desync (May 01)
- Re: Possible Linuxconf Vulnerability Patrick J. Volkerding (May 01)
- Re: Possible Linuxconf Vulnerability Neale Banks (May 03)
- FW: NT Security: Domain user adding self to Domain Admin group. Gary Kalbfleisch (May 03)
- MSIE 5 favicon bug Flavio Veloso (May 03)
- <Possible follow-ups>
- Re: Possible Linuxconf Vulnerability Dan Merillat (May 05)