“Vulnerable
———-
- Microsoft Internet Explorer 6.0 (lower was not tested)
- Microsoft Windows XP Pro
- Microsoft Windows XP Home
- Microsoft Windows 2003 Server Enterprise
- AOL Instant Messenger 5.5 to 4.3 tested

Not Vulnerable
————–
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 9X

Severity
———
High - Remote code execution

In English
———-
There is a problem in Internet Explorer where a file can be displayed as html even though
the file is not an html file. Also the file can be run in My Computer zone where lower
restrictions apply. AOL instant messenger buddy icons (and maybe themes not tested) is
just ONE way to get a file in a known location on the hard drive. All environments where tested
fully patched from Windows Update and double checked with Microsoft Baseline Security Analyzer 1.2…

Temp Fix
————-
- Turn off buddy icons in My Aim > Edit Options > Edit Preferences > Buddy Icons
- Disable scripting in Internet Explorer
- Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox www.mozilla.org)”