Vulners
Lucene search
more.msie.5.favicon.ico.txt
`Date: Mon, 3 May 1999 16:06:10 -0300
From: Flavio Veloso <[email protected]>
To: [email protected]
Subject: MSIE 5 favicon bug
Hi folks.
When MSIE 5 users bookmark a page, the browser will request a file
named "favicon.ico" which is to be used in the "Favorites" menu of the
browser. Unfortunately MSIE 5 doesn't check the file integrity and
crash if faced with a bad-formed icon file.
Upon crashing the stack gets filled with information from the icon
file itself, so it may be possible to run code on the client machine,
tough I didn't test it.
Microsoft was notified twice about this issue via the "Report a Bug"
form on their web site. The first time about one month ago, the second
time about two weeks ago. I didn't receive back any reply.
More information about this bug (plus another privacy issue about the
"favicon.ico" file) is available at
http://web.cip.com.br/flaviovs/sec/favicon/index.html.
--
Flavio
-------------------------------------------------------------------------
[ http://web.cip.com.br/flaviovs/sec/favicon/index.html ]
<html>
<head>
<title>MSIE 5 favicon bug</title>
<script language="JavaScript">
function bookmarkit()
{
if ( navigator.appVersion.indexOf("MSIE 5") == -1 )
{
alert("This only works on MSIE 5");
return false;
}
if ( confirm("This will crash MSIE!") )
window.external.AddFavorite(location.href, document.title);
return false;
}
</script>
</head>
<body>
<h1>MSIE 5 favicon bug</h1>
<h2>Description</h2>
There's a bug in MSIE 5 when handling the <code>favicon.ico</code>
file downloaded from a web site. By creating a icon file with bad
data, it's possible to crash MSIE 5. The stack is filled with
information from the icon file so it <i>may be</i> possible to create
an icon file with data which would end executing code on the client
machine.
<blockquote>
<h3><i>The <code>favicon.ico</code> icon file</i></h3>
<i>The <code>favicon.ico</code> file is an icon file in the
MS-proprietary icon file format. It is downloaded by MSIE 5 when the
user asks it to add the page's URL to his/her "Favorites"
list. When the user selects to add the URL, MSIE 5 downloads the file
and shows the icon on the "Favorites" menu. The request for
the <code>favicon.ico</code> file is first done on the same path of
the current URL. If the file is not found, MSIE 5 will backup one
directory in the directory hierarchy and try again. It will do this
until it finds the file or reaches the web server root (e.g. if you
try to bookmark this page, MSIE 5 will look for
<code>favicon.ico</code> in
<code>http://web.cip.com.br/flaviovs/sec/favicon/</code>,
<code>http://web.cip.com.br/flaviovs/sec/</code>,
<code>http://web.cip.com.br/flaviovs/</code> and
<code>http://web.cip.com.br/</code>).</i>
</blockquote>
<h2>Impact</h2>
MSIE 5 will crash when trying to interpret/show such icon file. It's
unknown if it's possible to create an icon file which will trigger
code execution on the client machine, but evidences show that it may
be possible (i.e. it looks like a stack buffer overflow).
<h2>Workaround</h2>
It seems it's not possible to turn off the <code>favicon.ico</code>
loading feature. Thus the only workaround is not to add any
non-trusted site to the "Favorites" list and wait for a
patch from Microsoft.
<h2>Example</h2>
<p>If you're using MSIE 5 with Javascript enabled, you can feel <a
href="" onClick="bookmarkit(); return false">the bug in
action</a>. Otherwise just try to bookmark this page (note: this will
<i>crash</i> your browser).
<p><a href="favicon.ico">Here's</a> the <code>favicon.ico</code> file
that triggers the bug. It's composed of an bogus header followed by
lots of "A" characters.
<h2>What Microsoft is Doing</h2>
Apparently, nothing. I reported the bug twice, the first one about one
month ago, the last time about two weeks ago. I didn't receive any
reply.
<h2>Disclaimer</h2>
All information contained in this page is for EDUCATIONAL PURPOSES
ONLY. The author of this page can not be made responsible for any
damage caused by the use or minuse of information here contained.
<h2>Related Documents</h2>
<ul>
<li><a
href="http://msdn.microsoft.com/workshop/essentials/versions/ICPIE5.asp">Web
Workshop Getting Ready for Internet Explorer 5</a></li>
<li><a href="http://www.apacheweek.com/issues/99-04-09">Apache Week:
9th April 1999</a></li>
<li><a href="privacy.html">Privacy Issues about the <code>favicon.ico</code>
File</a></li>
</ul>
<h2>About</h2>
This bug was discovered in april 1999 by Flavio Veloso <<a
href="mailto:[email protected]">[email protected]</a>>.
</body>
</html>
-------------------------------------------------------------------------
Date: Tue, 4 May 1999 14:15:56 -0300
From: Flavio Veloso <[email protected]>
To: [email protected]
Subject: Re: MSIE 5 favicon bug
On Mon, 3 May 1999, Kurt Seifried wrote:
> > When MSIE 5 users bookmark a page, the browser will request a file
> > named "favicon.ico" which is to be used in the "Favorites" menu of the
> > browser. Unfortunately MSIE 5 doesn't check the file integrity and
> > crash if faced with a bad-formed icon file.
> >
> > Upon crashing the stack gets filled with information from the icon
> > file itself, so it may be possible to run code on the client machine,
> > tough I didn't test it.
>
> Doesn't work for me. NT Server 4.0, SP4, MSIE 5.0 (5.00.2314.1003). Tried
> repeatedly.
Due to some reports, it seems that NT users aren't affected. The GPF
is triggered in the USER.EXE module which I bet is different from the
one on Win 95/98, where I did my tests. You're the first one to report
that OSR/2 isn't affected which sounds very strange to me, since it
came (I believe) before 98.
> > Microsoft was notified twice about this issue via the "Report a Bug"
> > form on their web site. The first time about one month ago, the second
> > time about two weeks ago. I didn't receive back any reply.
>
> Tried it from a couple of Win95 (OSR/2, no patches) machines with MSIE 5.0,
> no crash either... if anyone can replicate this I'd be curious to know. How
> have you gone about testing this? Which platform(s)? Win98 only?
I tested it in two different machines:
* Windows 95 + IE 5.00.2314.1003
* Windows 98 + IE 5.00.2314.1003IS (the "IS" is because this is
a Portuguese version of the browser, I guess)
Both crashed miserably.
--
Flavio
-------------------------------------------------------------------------
Date: Wed, 5 May 1999 11:10:52 +1000
From: [email protected]
To: [email protected]
Subject: Re: MSIE 5 favicon bug
>Tried it from a couple of Win95 (OSR/2, no patches) machines with MSIE
5.0,
>no crash either... if anyone can replicate this I'd be curious to know.
How
>have you gone about testing this? Which platform(s)? Win98 only?
I tried it from a Windows 95 OSR2 (v4.0.1111) machine with MSIE5
(v5.00.2014.0216) and
about 5 seconds after adding
http://web.cip.com.br/flaviovs/sec/favicon/index.html to my
favourites I got a gpf in USER.EXE just as Flavio had stated...
-------------------------------------------------------------------------
Date: Thu, 6 May 1999 16:32:39 -0400
From: Chris DeRose <[email protected]>
To: [email protected]
Subject: Re: MSIE 5 favicon bug
I tried it from my Win98 (4.10.1998) machine, running MSIE 5
(5.00.2314.1003) and I too got a GPF.
-Chris DeRose
[email protected]
-------------------------------------------------------------------------
Date: Fri, 7 May 1999 12:22:58 +0800
From: Lee Chia Ling <[email protected]>
To: [email protected]
Subject: Re: MSIE 5 favicon bug
Dear all,
Tested from Win98 with MSIE 5.0 (v5.00.2014.0216) and it crashed
as discribed.
--- cllee
-------------------------------------------------------------------------
Date: Fri, 7 May 1999 19:39:11 +0100
From: Cliff Rowley <[email protected]>
To: [email protected]
Subject: Re: MSIE 5 favicon bug
Also works with:
Win98 4.10.1998
IE5 5.00.2014.0216
-------------------------------------------------------------------------
Date: Fri, 7 May 1999 20:24:45 -0300
From: Flavio Veloso <[email protected]>
To: [email protected]
Subject: Re: MSIE 5 favicon bug
On Fri, 7 May 1999, Jason wrote:
(...)
> "The request for the favicon.ico file is first done on the same path of the
> current URL. If the file is not found, MSIE 5 will backup one directory in
> the directory hierarchy and try again. It will do this until it finds the
> file or reaches the web server root (e.g. if you try to bookmark this page,
> MSIE 5 will look for favicon.ico in
> http://web.cip.com.br/flaviovs/sec/favicon/,
> http://web.cip.com.br/flaviovs/sec/, http://web.cip.com.br/flaviovs/ and
> http://web.cip.com.br/)."
>
> My experience is based on the following platform information:
>
> Windows 98 with all available updates (3717
> MSIE 5: 5.00.2014.0216IC 128-bit
>
> Contrary to the information given at the cited URL, my best attempts at
> recreating this alleged phenomenon have been futile. In addition, I am
> fairly confident, based on every log analysis I have performed, that this is
> wrong.
(...)
Hi.
You're absolutely right. Actually I didn't test that and trusted in
the information given by Apacheweek (see
http://www.apacheweek.com/issues/99-04-09).
I'm fixing the page now.
--
Flavio
-------------------------------------------------------------------------
Date: Fri, 7 May 1999 15:46:13 -0700
From: [email protected]
To: [email protected]
Subject: Re: MSIE 5 favicon bug
Hey,
I happened to have IE5 installed on solaris:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.5.1 sun4m; X11)
So I gave it a shot, it appears to not even attempt to get the favicon.ico
file. I even put in the URL
http://web.cip.com.br/flaviovs/sec/favicon/favicon.ico, but all I get is a
broken image icon. So anyway, no crash on solaris.
Blake
-------------------------------------------------------------------------
Date: Fri, 7 May 1999 17:45:18 -0500
From: Jason <[email protected]>
To: [email protected]
Subject: Re: MSIE 5 favicon bug
Aloha.
Below is an exact copy of the information found on the web site Mr.
Veloso provided us with:
"The request for the favicon.ico file is first done on the same path of the
current URL. If the file is not found, MSIE 5 will backup one directory in
the directory hierarchy and try again. It will do this until it finds the
file or reaches the web server root (e.g. if you try to bookmark this page,
MSIE 5 will look for favicon.ico in
http://web.cip.com.br/flaviovs/sec/favicon/,
http://web.cip.com.br/flaviovs/sec/, http://web.cip.com.br/flaviovs/ and
http://web.cip.com.br/)."
My experience is based on the following platform information:
Windows 98 with all available updates (3717
MSIE 5: 5.00.2014.0216IC 128-bit
Contrary to the information given at the cited URL, my best attempts at
recreating this alleged phenomenon have been futile. In addition, I am
fairly confident, based on every log analysis I have performed, that this is
wrong.
This is most obvious by creating a large hierarchy of directories like
the following URL (note: there is nothing at this URL but an empty dir):
http://www.plasmic.com/~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/
I supposed that if what Flavio asserted was true, then IE5 would bombard
the server with a plethora of requests for 'favicon.ico' when I added it to
my 'Favorites'.
Here is a sample of what was generated in my apache log file:
I open up the apache-generated directory listing web page:
"GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/ HTTP/1.1" 200
733
After bookmarking the site, IE tries to find favicon.ico in the
_current_ directory:
"GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/favicon.ico
HTTP/1.1" 404 8999
Directly thereafter (probably virtually simultaneous connections), IE5
attempts to retrieve favicon.ico from the _root_ directory of my web server:
"GET /favicon.ico HTTP/1.1" 404 330
There are no requests in between the ones shown above.
Implications:
- This vulnerability may only be exploited by the owner of the current
directory or the owner of the document root. This does not diminish its core
significance, but is definitely a fundamental point in the understanding of
this bug.
- Adding 'Favorites' does not generate as much traffic or as many requests
as originally thought.
Regards,
Jason Sloderbeck
+===========================-------------------- - - - - - -
| University of Missouri/Kansas City - Computer Science/Telecom
| hom: 816/452.8937 e: [email protected] url: www.umkc.edu
| Plasmic Computer Systems - Chief Information Officer
| off: 816/292.2870 e: [email protected] url: www.plasmic.com
| Midwest Internet Services - Sr. Systems Administrator
| cel: 816/820.9279 e: [email protected] url: www.mwis.net
+===========================-------------------- - - - - - -
----- Original Message -----
>From: Flavio Veloso <[email protected]>
To: <[email protected]>
Sent: Monday, May 03, 1999 2:06 PM
Subject: MSIE 5 favicon bug
> Hi folks.
>
> When MSIE 5 users bookmark a page, the browser will request a file
> named "favicon.ico" which is to be used in the "Favorites" menu of the
> browser. Unfortunately MSIE 5 doesn't check the file integrity and
> crash if faced with a bad-formed icon file.
>
> Upon crashing the stack gets filled with information from the icon
> file itself, so it may be possible to run code on the client machine,
> tough I didn't test it.
>
> Microsoft was notified twice about this issue via the "Report a Bug"
> form on their web site. The first time about one month ago, the second
> time about two weeks ago. I didn't receive back any reply.
>
> More information about this bug (plus another privacy issue about the
> "favicon.ico" file) is available at
> http://web.cip.com.br/flaviovs/sec/favicon/index.html.
>
> --
> Flavio
>
-------------------------------------------------------------------------
Date: Thu, 27 May 1999 18:18:39 -0700
From: [email protected]
To: [email protected]
Subject: Microsoft Security Bulletin (MS99-018)
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-018)
--------------------------------------
Patch Available for "Malformed Favorites Icon" Vulnerability
Originally Posted: May 27, 1999
Summary
=======
Microsoft has released a single patch that eliminates two security
vulnerabilities in Microsoft (r) Internet Explorer 4.0 and 5. The first
potentially could allow arbitrary code to be run on a user's computer. The
second potentially could allow the local hard drive to be read. A fully
supported patch is available to eliminate both vulnerabilities, and
Microsoft recommends that affected customers download and install it, if
appropriate.
Issue
=====
This update eliminates two vulnerabilities:
- The "Malformed Favorites Icon" vulnerability. The Favorites
feature allows IE users to keep a list of their favorite web
sites. In IE 5, the Favorites list can contain icons that are
supplied by the associated web sites. However, there is an
unchecked buffer in the implementation. A specially-malformed icon
could overrun the buffer and be used to run arbitrary code on the
user's computer. This vulnerability only affects IE 5 when run on
Windows 95 or 98; it does not affect Windows NT systems.
- The "Legacy ActiveX Control" vulnerability. An ActiveX control
that was used by previous versions of IE also was included in IE 4.0
and IE 5 even though it is not used by either. It could be misused
to allow a web site to read the user's local hard drive. The update
eliminates the vulnerability by removing the control.
While there are no reports of customers being adversely affected by these
vulnerabilities, Microsoft is proactively releasing the patch to allow
customers to take appropriate action to protect themselves against it.
Affected Software Versions
==========================
- Microsoft Internet Explorer 4.0 and 5.0
Note: The patch, provided below in What Customers Should Do, will determine
the version of IE and the platform on which it is installed, and will apply
only the appropriate fix. As a result, the single patch below is
appropriate for use by customers who are affected by either or both of the
vulnerabilities.
What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches
are available for download from the sites listed below in What Customers
Should Do.
Microsoft also has sent this security bulletin to customers subscribing
to the Microsoft Product Security Notification Service. See
http://www.microsoft.com/security/services/bulletin.asp for more
information about this free customer service.
Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q231450,
Update Available for the "Malformed Favorites Icon" Issue in
Internet Explorer 5,
http://support.microsoft.com/support/kb/articles/q231/4/50.asp
- Microsoft Knowledge Base (KB) article Q231452,
Update Available for "Legacy ActiveX Control" Issue in Internet
Explorer 5,
http://support.microsoft.com/support/kb/articles/q231/4/52.asp
(Note: It might take 24 hours from the original posting of this bulletin for
the KB article to be visible in the Web-based Knowledge Base.)
What Customers Should Do
========================
Microsoft highly recommends that customers evaluate the degree of risk that
this vulnerability poses to their systems and determine whether to download
and install the patch. As noted above, the patch is appropriate for use on
systems that are affected by either or both of the vulnerabilities. The
patch can be found at
www.microsoft.com/windows/ie/security/favorites.asp
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-018,
Patch Available for "Malformed Favorites Icon" Vulnerability,
http://www.microsoft.com/security/bulletins/ms99-018.asp.
- Microsoft Knowledge Base (KB) article Q231450,
Update Available for the "Malformed Favorites Icon" Issue in
Internet Explorer 5,
http://support.microsoft.com/support/kb/articles/q231/4/50.asp.
- Microsoft Knowledge Base (KB) article Q231452,
Update Available for "Legacy ActiveX Control" Issue in Internet
Explorer 5,
http://support.microsoft.com/support/kb/articles/q231/4/52.asp
Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact
Microsoft Technical Support. For information on contacting Microsoft
Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
===============
Microsoft acknowledges Flavio Veloso ([email protected]) for
discovering the "Malformed Favorites Icon" vulnerability and reporting it
to us, and Steve Loughran for discovering the "Legacy ActiveX Control"
vulnerability and reporting it to us.
Revisions
=========
- May 27, 1999: Bulletin Created.
For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security
----------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to [email protected]
The subject line and message body are not used in processing the request,
and can be anything you like.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/bulletin.htm. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4