old netscape vuln - affecting XP/explorer?

From: cassidy macfarlane (cmac23@barrysworld.com)
Date: 09/06/02 

Date: Fri,  6 Sep 2002 12:56:40 +0100
From: "cassidy macfarlane" <cmac23@barrysworld.com>
To: <vuln-dev@securityfocus.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi
I posted this to bugtraq, but was advised to post here..

I d/loaded the old 'crash-netscape.jpg' from secfocus (id 1503,
http://online.securityfocus.com/data/vulnerabilities/exploits/crash-netscape.jpg )
Sorry if it wraps

intending to have a play with Mozilla ;). I stuck it into my cygwin
dir on my local HD.

When I browse to this folder using explorer (***Tiles view***),
I get an explorer restart. (all open explorer windows close, but apps
persist)

/snip
Faulting application explorer.exe, version 6.0.2600.0, faulting
module ntdll.dll, version 5.1.2600.0, fault address 0x00003812.

0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 36 e 6.0.26
0028: 30 30 2e 30 20 69 6e 20 00.0 in
0030: 6e 74 64 6c 6c 2e 64 6c ntdll.dl
0038: 6c 20 35 2e 31 2e 32 36 l 5.1.26
0040: 30 30 2e 30 20 61 74 20 00.0 at
0048: 6f 66 66 73 65 74 20 30 offset 0
0050: 30 30 30 33 38 31 32 0d 0003812.
0058: 0a .

/end snip

I'm running XP Pro, all hotfixes (apart from todays....MS02-049 and
MS02-050...yawn)

Does anyone else get the same?
Is this exploitable? - I get the same address (0x0003812) every
time...is this adjustable with the header/etc in the dodgy .jpg?

TIA, and apologies if this is known or a misconfiguration.

Cassidy Macfarlane
Group IT
www.tenongroup.com

PGP fingerprint: 31A2 1A52 6CB9 E91C 27D8 9C5C FC40 4FD7 5E96 E1A4

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPXiXUvxAT9deluGkEQIuewCgzZPslfiGX/EbwH3SEPXw2k5MHxsAoIMv
WyrI7Lv3qUtHxGtfbboxOkJB
=sXVg
-----END PGP SIGNATURE-----