Patch Available for the "Malformed Favorites Icon" Vulnerability
3 Jun. 1999
Summary
Microsoft has released a single patch that eliminates two security vulnerabilities in Microsoft Internet Explorer 4 and 5. The first can cause arbitrary code to run and the second causes local files to be read. A fully supported patch is available that eliminates both vulnerabilities.
This update eliminates two vulnerabilities:
- The "Malformed Favorites Icon" vulnerability. The Favorites feature allows IE users to keep a list of their favorite web sites. In IE 5, the Favorites list can contain icons that are supplied by the associated web sites. However, there is an unchecked buffer in the implementation. A malformed icon can cause a buffer overrun and can potentially be used to run arbitrary code on the user's computer. This vulnerability only affects IE 5 when run on Windows 95 or 98; it does not affect Windows NT.
- The "Legacy ActiveX Control" vulnerability. An ActiveX control that was used by previous versions of IE also was included in IE 4 and IE 5 even though it is not used by either. It could be misused to allow a web site to read the user's local hard drive. The update eliminates the vulnerability by removing the control.
