Bugtraq mailing list archives
Re: More Internet Explorer zone confusion
From: bugtraq.user () parity mit edu (Jeremy Nimmer)
Date: Mon, 8 Mar 1999 03:56:27 -0500
MS98-016 dealt with addresses such as http://031713501415/ ... user has the "Domain Suffix Search Order" in the TCP/IP DNS settings ... The second case occurs when a host has an assigned alias in the hosts ... "This behavior is correct"?!?!?! Give me a break. They obviously didn't think so when they released the MS98-016 bulletin. Jim Paris jim () jtan com
The difference between MS98-016 and your examples is simple. The bulletin addressed an issue where an external site could, without your control, fool your browser into thinking a remote site was "local intranet". In your examples, the user must choose specific settings to allow the problem to occur. If you are concerned about the problem, simply remove .com, etc. from your DNS suffix search, and don't put nasty hosts in your hosts file. The zone settings are not meant to be rock-solid security protection. If they pose a risk to you, set all zones to the maximum security. This was all already talked about when the above-mentioned bulletin came out. In the end, this is not a "bug" in the browser - it's a configuration problem. While worthy of mention, it does not deserve flamage. Thanks, -= remmiN ymereJ | Jeremy Nimmer =-
Current thread:
- Oracle Plaintext Password, (continued)
- Oracle Plaintext Password James Kivisild (Mar 04)
- Linux /usr/bin/gnuplot overflow xnec () INFERNO TUSCULUM EDU (Mar 04)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Hans-Bernhard Broeker (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Andrea Arcangeli (Mar 05)
- buffer overflow in /usr/bin/cancel Josh A. Strickland (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow -- SuSE hasnt fixed lsof Mario Lorenz (Mar 05)
- Update to Microsoft Security Bulletin (MS99-006) aleph1 () UNDERGROUND ORG (Mar 05)
- More Internet Explorer zone confusion Jim Paris (Mar 05)
- Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
- Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
- Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
- ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
- Re: More Internet Explorer zone confusion David E. Smith (Mar 08)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Little exploit for startup scripts (SCO 5.0.4p). leshka (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Peter van Dijk (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Taneli Leppä (Mar 08)
- Call for Papers: CQRE Detlef Hühnlein (Mar 08)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Jon Coyle (Mar 08)