favicon.icofile downloaded from a web site. By creating a icon file with bad data, it's possible to crash MSIE 5. The stack is filled with information from the icon file so it may be possible to create an icon file with data which would end executing code on the client machine.
favicon.icofile is an icon file in the MS-proprietary icon file format. It is downloaded by MSIE 5 when the user asks it to add the page's URL to his/her "Favorites" list. When the user selects to add the URL, MSIE 5 downloads the file and shows the icon on the "Favorites" menu. The request for the
favicon.icofile is first done on the same path of the current URL. If the file is not found, MSIE 5 will try to get the file from the root directory of the web server. (e.g. if you try to bookmark this page, MSIE 5 will look for
http://www.magnux.com/~flaviovs/sec/favicon/and, if the file cannot be found there,
It seems it's not possible to turn off the
loading feature. Thus if you cannot patch/upgrade your browser, the only
workaround is not to add any
non-trusted site to the "Favorites" list (but see "Privacy Issues about the
favicon.ico File" for other ways of dealing with this).
that triggers the bug. It's composed of an bogus header followed by
lots of "A" characters.
The patch for MSIE, along with some more useful information to MSIE users, is available at http://www.microsoft.com/technet/security/bulletin/ms99-018.asp.