Microsoft Internet Explorer Content Advisor File Handling Buffer Overflow Vulnerability



Date Discovered

April 12, 2005


Microsoft Internet Explorer is prone to a remote buffer overflow vulnerability when handling malformed Content Advisor files. An attacker can exploit this issue by crafting a Content Advisor file with excessive data and arbitrary machine code to be processed by the browser. A typical attack would involve the attacker creating a Web site that includes the malicious file. A similar attack can also be carried out through HTML email using Microsoft Outlook and Microsoft Outlook Express applications. It should be noted that successful exploitation requires the user to follow various steps to install a malicious file.

Technologies Affected

  • Microsoft Internet Explorer 5.0.1
  • Microsoft Internet Explorer 5.0.1 SP1
  • Microsoft Internet Explorer 5.0.1 SP2
  • Microsoft Internet Explorer 5.0.1 SP3
  • Microsoft Internet Explorer 5.0.1 SP4
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5 SP1
  • Microsoft Internet Explorer 5.5 SP2
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 6.0 SP1
  • Microsoft Internet Explorer 6.0 SP2 do not use


Run all software as a nonprivileged user with minimal access rights.
All client applications should be executed with the minimal amount of privileges required for functionality. This will reduce the impact of a successful attack.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Network intrusion detection systems should be deployed to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploitation attempts or activity that results from successful exploitation.

Do not accept or execute files from untrusted or unknown sources.
Avoid opening and installing files that originate from users of questionable integrity.

Do not follow links provided by unknown or untrusted sources.
An attacker may entice victim users to follow a link to a malicious Web site that may be used to trigger this issue. Users should refrain from following links that originate from unknown or untrusted sources.

Set web browser security to disable the execution of script code or active content.
Disabling support of active scripting in Internet Explorer can prevent successful exploitation. It should be noted that this will have an adverse effect on the functionality of the browser when rendering Web sites that employ scripts.

Do not open email messages from unknown or untrusted individuals.
Users should refrain from opening email messages that originate from unknown or questionable sources. Disabling support for HTML email can also prevent successful exploitation.

Microsoft has released updates to address this vulnerability on supported platforms. Internet Explorer 6 for Windows Server 2003 SP 1 including 64-Bit Edition is not affected by this issue. Windows XP Professional x64 Edition is also not affected. Microsoft has released fixes for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition. These updates are available from the Windows Update Web site: Localized Slovenian and Slovakian fixes are available for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition as well. Please see the referenced Microsoft bulletin for more information.



Discovery is credited to Andres Tarasco of SIA Group.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.