Vulnerability

    Internet Explorer & AIM

Affected

    Internet Explorer 5.0 & AOL Instant Messenger 3.x

Description

    Lark Lizerman found following.  US Version of Internet Explorer  5
    does not know the german characters like "ü", "ö", "ä".  When  you
    move your mousepointer over such a link containing such characters
    as URL, your mousepointer will  not become a pointing hand.   That
    is the  reason why  IE5 will  not try  to load  that website.  But
    since AOL Instant Messenger is  capable of HTML when you  insert a
    link like that, IE5 will be  given the URL as a parameter  and not
    able to interpret it.  This makes AIM eat up all available  memory
    and makes Win98's  VMM and TCP  VxD crash by  bufferoverflowing it
    with the non interpretable URL string.

    AIM probably uses a line similar to this for loading URL:

        ShellExecute( 0, "open", "http://www.yourdomain.com", NULL, NULL, SW_NORMAL );

    The problem is that AIM does not check for:

    1) length
    2) Although it asks you about "illegal characters", it permits you
       to use them.   But because IE  can not interpret  them (as  AIM
       does using the URL as a  StringVar), IE can't and it fails  and
       results a systemcrash.

    For demonstration and FULL details visit:

        http://www.doc2000.de/ie5_bug.htm

    Lark Lizerman  after found  new characters  that are  are able  to
    crash Win98 (se).   The new characters  are: "ê" ,  "ô", "â".   It
    might be that french versions  of IE5 and AIM3.0 are  not affected
    by these characters because they are in the french alphabet  (what
    does not mean they are included  in the software).  But all  other
    versions are e.g. US are affected.

Solution

    Nothing yet.  Some people were not able to recreate this issue.