from an email i received today...
"IE5 Weirdness #1: The FavIcon Mystery (and Security Hole)
Reader Brian Dillree was the first of several readers to ask
a question about an increasingly common practice:
Fred,
I'm hoping you can help me on this one.It
has me and a couple other people stumped.
How do some websites insert their own icon
into ie5 internet shorcuts?
If you don't know what I mean, go to
deja.com (for example) and create a shortcut to it
either on your desktop or right in the ie5 toolbar
and the standard ie5 icon is replaced with the
deja.com icon.
How is this possible??
Thanx in advance
Brian Dillree
If a web designer creates a special icon for a web page,
makes it 16x16 pixels in size, uses 16 colors, and names it
"favicon.ico," then when you either put that page on your
favorites list or create a shortcut on your desktop, IE5
will use the "favicon" icon in place of the standard dog-
eared web page IE5 icon.
Lots of web sites are doing this now as a way to customize
their look and to help make their pages stand out from the
crowd.
But there can be a problem: As Microsoft puts it, "A
specially-malformed icon could overrun the buffer and be
used to run arbitrary code on the user's computer." By which
they mean someone could hack your system and run whatever
software they wanted.
About 60 days ago, Microsoft released a patch for this
"vulnerability;" If you've been keeping up with all your
updates and fixes, you probably already have this one. But
if not--- check out
microsoft.com
But there's another snag: It's theoretically possible for a
web site to track which IP address is calling for the
favicon.ico. This isn't exactly a gaping security hole, but
it is at least theoretically possible for a site owner to
figure out which IP addresses are bookmarking his or her
site. It would be somewhat easier for the site to build a
log of your bookmarks if you let the site set a cookie, or
if you registered upon entry.
I mention low-risk security hole this in the interests of
completeness, but I also have to say I think the odds of
anyone going to that amount of hassle just to see if you
bookmarked a page on their site are quite remote. And even
if they did know what you bookmarked from their site, so
what?
Note that there's no way for a favicon to be used to snoop
your other bookmarks, or to see what you bookmark on other
sites.
So this is a mostly theoretical problem--- and a tiny one at
that.
But the "malformed favicon" issue is more real--- grab the
patch, if you haven't already." |
