COMMAND

    Microsoft Internet Explorer 4.0 (others?) plus html mail readers

SYSTEMS AFFECTED

    Windows 3.x, 9x, NT, UNIX, Mac

PROBLEM

    Georgi Guninski found following.  Microsoft Internet Explorer 4.0
    (don't know for other versions) can be crashed and eventually made
    execute arbitrary code with a little help of the <EMBED> tag.
    The following:

        <EMBED SRC=file://C|/A.ABOUT_200_CHARACTERS_HERE___________________>

    opens a dialog box and closes IE 4.0.  It seems that the long file
    extension causes stack overrun.  The stack is smashed - full  with
    our values,  EIP is  also ours  and CS=SS.   So probably  a string
    could be constructed, executing code at the client's machine.   To
    try this please go to:

        http://www.geocities.com/ResearchTriangle/1711/msie.html

    On Windows  '98 box  hitting the  referenced site  caused Explorer
    to  GP,  but  you  can  kill  it and everything will remaine hunky
    doory (the current IE process  was blown away, but desktop  etc...
    will be fine).  Same goes for NT.

    Exploit follows:

    <HTML>
    Trying to crash IE 4.0
    <EMBED
    SRC=file://C|/A.01234567890123456789012345678901234567890123456789012345
    678901234567890123456789012345678901234567890123456789012345678901234567
    890123456789012345678901234567890123456789012345678901234567890123456789
    0123456789012345678901234567890123456789>
								   40
    80
    160                    170                 180                 190
    200
    </HTML>

    This not only  crashes MSIE4 but  also Eudora4.0.   You can't read
    this mail without a crash if in pure HTML.

SOLUTION

    Microsoft  has  posted  a  fix  to protect Internet Explorer users
    against a potential problem known as the "Embed" issue.  Go at:

        http://www.microsoft.com/ie/security/main.htm

    Eudora Pro  4.0 gives  you an  option (under Tools.Options.Viewing
    Mail) to "Use Microsoft's Viewer"  Selecting this will use the  IE
    4.0 engine  to view  your mail  messages, and  because of Eudora's
    preview pane,  it can  crash Eudora  as soon  as a message arrives
    with the  naughty <embed>  tag, which  can be  quite confusing.
    Downgrade to  Eudora Pro  3.0, which  is almost  identical feature
    wise, and is  a lot more  efficient, or just  don't use IE  4.0 as
    Eudora's mail viewer, which makes  no real difference or apply  IE
    patch to be safe again.