Long time ago I found an interesting vulnerability in the Microsoft Internet Explorer 6 in which it was possible to execute javascript which was included in an image. The following is the the timeline of it:
07/15/05 Sven Vetsch detects the flaw
07/31/05 Sven Vetschs informs Microsoft
08/08/05 Semi-automated response by Microsoft
09/19/05 Proof-of-concept published at computec.ch
09/19/05 Full article published in scip monthly Security Summary
09/22/05 Public advisory
So, you can see it’s really a long time ago and now we have the Microsoft Internet Explorer 7 since a few days. But what’s that, the bug is still there. Is it possible that Microsoft offers long time support for vulnerabilities? 
What could I do that they fix it? I’ve informed Microsoft about tree times, there was an advisory on Bugtraq which Marc Ruef has written for me and I wrote a POC paper.
So for all the people who still doesn’t know about the vulnerability heres a POC code and a short description:
<a GIF-Header>
<HTML>
<HEAD>
<SCRIPT>alert('XSS');</SCRIPT>
</HEAD>
</HTML>
Simply put the script above in a file which you call foo.gif (*.jpg and so on will also work) and then upload it on a webserver (it doesn’t work from local machine) and now directly access the file (img-tags doesn’t work).
That’s it, and old security hole is still alive and the good/bad guys out there can use it for fun and profit.
Hi Sven,
It’s not “GIF bug” and it’s not new. It’s pretty nasty feature of MSIE, documented for example there:
http://msdn.microsoft.com/workshop/networking/moniker/overview/mime_handling.asp
Hi Martin,
as I wrote in my blog posting it’s a very old bug so I agree with you.
The thing with feature/bug that’s another story. The name “GIF-Bug” was created by K-Gen in his Advisory at Full Disclosure about a security flaw in phpBB in which he wrote “Special Credits to: Sven Vetsch (the original finder of “The gif bug”).” that’s why I call it also GIF-Bug because I think it’s a funny name for it.
Now to the last point, that it’s a (as you already said nasty) feature. Your absolutely right when I think back to a conversation (over mail) I had with a security guy from Microsoft after my article in the scip monthly Security Summary. This guy sent me the same link as you posted above and ha also said that this is a feature. But everyone can say what he wants but from my point of view it’s definitively a nasty bug which is critical for the security of a Microsoft Windows System and so it’s not a feature.
I think that’s bug (nasty feature:) too, but it’s not new and use of this feature to perform XSS attack was already mentioned before “07/15/05 Sven Vetsch detects the flaw” …