MSIE 5 favicon bug

Description

There's a bug in MSIE 5 when handling the favicon.ico file downloaded from a web site. By creating a icon file with bad data, it's possible to crash MSIE 5. The stack is filled with information from the icon file so it may be possible to create an icon file with data which would end executing code on the client machine.

The favicon.ico icon file

The favicon.ico file is an icon file in the MS-proprietary icon file format. It is downloaded by MSIE 5 when the user asks it to add the page's URL to his/her "Favorites" list. When the user selects to add the URL, MSIE 5 downloads the file and shows the icon on the "Favorites" menu. The request for the favicon.ico file is first done on the same path of the current URL. If the file is not found, MSIE 5 will try to get the file from the root directory of the web server. (e.g. if you try to bookmark this page, MSIE 5 will look for favicon.ico in http://www.magnux.com/~flaviovs/sec/favicon/ and, if the file cannot be found there, http://www.magnux.com/).

Impact

MSIE 5 will crash when trying to interpret/show such icon file. It's unknown if it's possible to create an icon file which will trigger code execution on the client machine, but evidences show that it may be possible (i.e. it looks like a stack buffer overflow).

Solution/Workarounds

Microsoft has released a patch for MSIE 5 that fix this issue (see below).

It seems it's not possible to turn off the favicon.ico loading feature. Thus if you cannot patch/upgrade your browser, the only workaround is not to add any non-trusted site to the "Favorites" list (but see "Privacy Issues about the favicon.ico File" for other ways of dealing with this).

Example

If you're using MSIE 5 with Javascript enabled, you can feel the bug in action. Otherwise just try to bookmark this page (note: this may crash your browser).

Here's the favicon.ico file that triggers the bug. It's composed of an bogus header followed by lots of "A" characters.

What Microsoft is Doing

I reported the bug twice to Microsoft and they only provided a fix when this issue were fully disclosed on the Internet.

The patch for MSIE, along with some more useful information to MSIE users, is available at http://www.microsoft.com/technet/security/bulletin/ms99-018.asp.

Disclaimer

All information contained in this page is for EDUCATIONAL PURPOSES ONLY. The author of this page can not be made responsible for any damage caused by the use or minuse of information here contained.

Related Documents

About

This bug was discovered in april 1999 by Flavio Veloso <flaviovs at magnux dot com>.