Bugtraq mailing list archives
Re: More Internet Explorer zone confusion
From: jim () JTAN COM (Jim Paris)
Date: Mon, 8 Mar 1999 14:17:43 -0500
The difference between MS98-016 and your examples is simple. The bulletin addressed an issue where an external site could, without your control, fool your browser into thinking a remote site was "local intranet".
And this can occur with my examples as well. I didn't control it at all.
In your examples, the user must choose specific settings to allow the problem to occur. If you are concerned about the problem, simply remove .com, etc. from your DNS suffix search, and don't put nasty hosts in your hosts file.
Just because I added a DNS suffix search order and put hosts into my hosts file does not (or, at least, SHOULD not) mean that I am choosing "specific settings to allow the problem to occur". How was I supposed to know that simplifying my life by adding a search suffix of ".com" was opening me up to a vulnerability?
In the end, this is not a "bug" in the browser - it's a configuration problem. While worthy of mention, it does not deserve flamage.
No, this is a bug in the browser. Changing something over at point A shouldn't affect my security at point B. -jim
Current thread:
- Linux /usr/bin/gnuplot overflow, (continued)
- Linux /usr/bin/gnuplot overflow xnec () INFERNO TUSCULUM EDU (Mar 04)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Hans-Bernhard Broeker (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Andrea Arcangeli (Mar 05)
- buffer overflow in /usr/bin/cancel Josh A. Strickland (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow -- SuSE hasnt fixed lsof Mario Lorenz (Mar 05)
- Update to Microsoft Security Bulletin (MS99-006) aleph1 () UNDERGROUND ORG (Mar 05)
- More Internet Explorer zone confusion Jim Paris (Mar 05)
- Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
- Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
- Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
- ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
- Re: More Internet Explorer zone confusion David E. Smith (Mar 08)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Little exploit for startup scripts (SCO 5.0.4p). leshka (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Peter van Dijk (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Taneli Leppä (Mar 08)
- Linux /usr/bin/gnuplot overflow xnec () INFERNO TUSCULUM EDU (Mar 04)
- Call for Papers: CQRE Detlef Hühnlein (Mar 08)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Jon Coyle (Mar 08)