Microsoft Internet Explorer Content Advisor File Handling Buffer Overflow Vulnerability

ID SMNTC-13117
Type symantec
Reporter Symantec Security Response
Modified 2005-04-12T00:00:00



Microsoft Internet Explorer is prone to a remote buffer overflow vulnerability when handling malformed Content Advisor files. An attacker can exploit this issue by crafting a Content Advisor file with excessive data and arbitrary machine code to be processed by the browser. A typical attack would involve the attacker creating a Web site that includes the malicious file. A similar attack can also be carried out through HTML email using Microsoft Outlook and Microsoft Outlook Express applications. It should be noted that successful exploitation requires the user to follow various steps to install a malicious file.

Technologies Affected

  • Microsoft Internet Explorer 5.0.1
  • Microsoft Internet Explorer 5.0.1 SP1
  • Microsoft Internet Explorer 5.0.1 SP2
  • Microsoft Internet Explorer 5.0.1 SP3
  • Microsoft Internet Explorer 5.0.1 SP4
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5 SP1
  • Microsoft Internet Explorer 5.5 SP2
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 6.0 SP1
  • Microsoft Internet Explorer 6.0 SP2 do not use


Run all software as a nonprivileged user with minimal access rights.
All client applications should be executed with the minimal amount of privileges required for functionality. This will reduce the impact of a successful attack.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Network intrusion detection systems should be deployed to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploitation attempts or activity that results from successful exploitation.

Do not accept or execute files from untrusted or unknown sources.
Avoid opening and installing files that originate from users of questionable integrity.

Do not follow links provided by unknown or untrusted sources.
An attacker may entice victim users to follow a link to a malicious Web site that may be used to trigger this issue. Users should refrain from following links that originate from unknown or untrusted sources.

Set web browser security to disable the execution of script code or active content.
Disabling support of active scripting in Internet Explorer can prevent successful exploitation. It should be noted that this will have an adverse effect on the functionality of the browser when rendering Web sites that employ scripts.

Do not open email messages from unknown or untrusted individuals.
Users should refrain from opening email messages that originate from unknown or questionable sources. Disabling support for HTML email can also prevent successful exploitation.

Microsoft has released updates to address this vulnerability on supported platforms. Internet Explorer 6 for Windows Server 2003 SP 1 including 64-Bit Edition is not affected by this issue. Windows XP Professional x64 Edition is also not affected. Microsoft has released fixes for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition. These updates are available from the Windows Update Web site: Localized Slovenian and Slovakian fixes are available for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition as well. Please see the referenced Microsoft bulletin for more information.