favicon.ico
file downloaded from a web site. By creating a icon file with bad
data, it's possible to crash MSIE 5. The stack is filled with
information from the icon file so it may be possible to create
an icon file with data which would end executing code on the client
machine.
The
Thefavicon.icoicon filefavicon.icofile is an icon file in the MS-proprietary icon file format. It is downloaded by MSIE 5 when the user asks it to add the page's URL to his/her "Favorites" list. When the user selects to add the URL, MSIE 5 downloads the file and shows the icon on the "Favorites" menu. The request for thefavicon.icofile is first done on the same path of the current URL. If the file is not found, MSIE 5 will try to get the file from the root directory of the web server. (e.g. if you try to bookmark this page, MSIE 5 will look forfavicon.icoinhttp://www.magnux.com/~flaviovs/sec/favicon/and, if the file cannot be found there,http://www.magnux.com/).
It seems it's not possible to turn off the favicon.ico
loading feature. Thus if you cannot patch/upgrade your browser, the only
workaround is not to add any
non-trusted site to the "Favorites" list (but see "Privacy Issues about the favicon.ico File" for other ways of dealing with this).
If you're using MSIE 5 with Javascript enabled, you can feel the bug in action. Otherwise just try to bookmark this page (note: this may crash your browser).
Here's the favicon.ico file
that triggers the bug. It's composed of an bogus header followed by
lots of "A" characters.
The patch for MSIE, along with some more useful information to MSIE users, is available at http://www.microsoft.com/technet/security/bulletin/ms99-018.asp.
favicon.ico
File