COMMAND

    favicon.ico

SYSTEMS AFFECTED

    MSIE 5 on Win9x

PROBLEM

    Flavio Veloso found following.  When MSIE 5 users bookmark a page,
    the browser will  request a file  named "favicon.ico" which  is to
    be used  in the  "Favorites" menu  of the  browser.  Unfortunately
    MSIE 5 doesn't check the file integrity and crash if faced with  a
    bad-formed icon file.   Upon crashing the  stack gets filled  with
    information from the  icon file itself,  so it may  be possible to
    run code on the client machine [NOT TESTED].

    More information about this bug (plus another privacy issue  about
    the "favicon.ico" file) is available at:

        http://web.cip.com.br/flaviovs/sec/favicon/index.html

    Also, without  that file  on server  side, your  logs will grow...
    Due to some reports, it seems that NT users aren't affected.   The
    GPF is triggered  in the USER.EXE  module which is  different from
    the one  on Win  95/98 where  tests were  made (one  report stated
    OSR/2 isn't affected  which sounds very  strange to since  it came
    before 98).

SOLUTION

    Microsoft highly recommends that customers evaluate the degree  of
    risk that this vulnerability  poses to their systems and determine
    whether to download  and install the  patch. As noted  above,  the
    patch  is  appropriate  for  use  on  systems that are affected by
    either or both of the  vulnerabilities. The patch can be found at

        http://www.microsoft.com/windows/ie/security/favorites.asp