Microsoft Security Bulletin (MS98-016)

[aleph1 () DFW NET (Aleph One)]

---------- Forwarded message ----------
Date: Fri, 23 Oct 1998 17:50:58 -0700
From: Microsoft Product Security <secnotif () MICROSOFT COM>
To: MICROSOFT_SECURITY () ANNOUNCE MICROSOFT COM
Subject: Microsoft Security Bulletin (MS98-016)

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

Microsoft Security Bulletin (MS98-016)
-----------------------------------------------------------------
Update available for "Dotless IP Address" Issue in
Microsoft Internet Explorer 4

Originally Posted: October 23, 1998
Last Revised: October 23, 1998

Summary
=======
Microsoft has released a patch that fixes a vulnerability in the way
Internet Explorer 4 determines what security zone a target server is in. By
exploiting this vulnerability, a malicious hacker could misrepresent the URL
of their website, causing the site to be treated as it if were located on an
intranet by Internet Explorer's Security Zones feature.

Microsoft highly recommends that users that have affected software installed
on their systems should download and install the available patch as soon as
possible.

Issue
=====
The "Dotless IP Address" issue involves a vulnerability in Internet Explorer
that could allow a malicious hacker to circumvent certain Internet Explorer
security safeguards. This vulnerability makes it possible for a malicious
web site operator to misrepresent the URL of an Internet web site and make
it appear as if the machine is in the user's "Local Intranet Zone". Internet
Explorer has the ability to set security settings differently between
different zones. By exploiting this vulnerability, a malicious site could
potentially perform actions that had been disabled in the Internet Zone or
Restricted Sites Zone, but which are permitted in the Local Intranet Zone.

The nature of this vulnerability lies in the way that Internet Explorer
evaluates URLs. Internet Explorer interprets a 32-bit number in the host
identifier portion of the URL (e.g. http://031713501415) as a valid host
name, while the IP stack resolves this address to its equivalent dotted IP
format (207.46.131.13 in this example). Internet Explorer incorrectly
considers this machine to be in the Local Intranet Zone, rather than in the
Internet Zone. It would therefore apply the security settings for the Local
Intranet Zone, rather than those for the Internet Zone. Depending on the
settings in the user's Local Intranet Zone, this could allow the web site to
take actions that it ordinarily could not take.

Note: The default configuration for both the Internet Zone and the Local
Intranet Zone is "Medium Security". However, there is one difference between
these defaults: the Local Intranet Zone enables the automatic use of NTLM
challenge response authentication with local intranet machines, while this
option is disabled by default when talking with servers in the Internet
Zone. (see the "Administrative Workaround" section below for more details on
changing these defaults.)

While there have not been any reports of customers being adversely affected
by these problems, Microsoft is releasing a patch to address any risks posed
by this issue.

Affected Software Versions
==========================
 - Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 on
   Windows NT 4.0, Windows 95
 - Microsoft Windows 98, with integrated Internet Explorer
 - Microsoft Internet Explorer 4.0 and 4.01 for Windows 3.1
   and Windows NT 3.51
 - Microsoft Internet Explorer 4.01 for UNIX

This vulnerability does not affect Internet Explorer 3.
This vulnerability does not affect Internet Explorer 4 for the Macintosh.

What Microsoft is Doing
=======================
On October 23rd Microsoft released a patch that fixes the problem. This
patch is available for download from the sites listed below.

Microsoft has sent this security bulletin to customers subscribing to the
Microsoft Product Security Notification Service (see
http://www.microsoft.com/security/bulletin.htm for more information about
this free customer service).

Microsoft has published the following Knowledge Base (KB) article on this
issue:

 - Microsoft Knowledge Base (KB) article Q168617, Update Available
   for Dotless IP Address Security Issue,
   http://support.microsoft.com/support/kb/articles/q168/6/17.asp

(Note: It might take 24 hours from the original posting of this bulletin for
the KB article to be visible in the Web-based Knowledge Base.)

What customers should do
========================
Microsoft highly recommends that users who have affected software installed
on their systems should download and install the available patch as soon as
possible.

Windows 98
----------
Windows 98 customers can obtain the patch using Windows Update. To do this,
launch Windows Update from the Windows Start Menu and click "Product
Updates." When prompted, select 'Yes' to allow Windows Update to determine
whether this patch and other updates are needed by your computer. If your
computer does need this patch, you will find it listed under the "Critical
Updates" section of the page.

Internet Explorer 4
-------------------
Customers using Internet Explorer 4 can obtain patch information for
specific platforms from the Internet Explorer Security web site,
http://www.microsoft.com/ie/security/dotless.htm

More Information
================
Please see the following references for more information related to this
issue.

 - Microsoft Security Bulletin MS98-016, Update available for "Dotless
   IP Address" Issue in Microsoft Internet Explorer 4, (the Web posted
   version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms98-016.htm
 - Microsoft Knowledge Base (KB) article Q168617, Update Available for
   Dotless IP Address Security Issue,
   http://support.microsoft.com/support/kb/articles/q168/6/17.asp

(Note: It might take 24 hours from the original posting of this bulletin for
the KB article to be visible in the Web-based Knowledge Base.)

Administrative Workaround
=========================
If you are unable to apply the patch, you can reduce your risk of being
affected by this problem by adjusting your Intranet Zone settings to be the
same as those used by the Internet Zone. To do this, perform the following
steps:

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Internet, and then click the Security tab.
3. In the Zone box, click local Intranet Zone.
4. Modify the local Intranet Zone security level or custom settings
   to match those in the Internet Zone.
5. Click OK to close the Internet Properties sheet.

Note: The default configuration for both the Internet Zone and the Local
Intranet Zone is "Medium Security". However, there is one difference between
these defaults: the local Intranet Zone enables the automatic use of NTLM
challenge response authentication with local Intranet machines, while this
option is disabled by default when connecting to servers in the Internet
Zone. If you need to change this setting, perform the following steps:

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Internet, and then click the Security tab.
3. In the Zone box, click local Intranet Zone.
4. Select the level of security that you wish to use under User
   Identification | Logon.
5. Click OK to close the Security Settings dialog, then click OK to
   close the Internet 6. Properties sheet.

Obtaining Support on this Issue
===============================
This is a supported patch for Internet Explorer. If you have problems
installing this patch or require technical assistance with this patch,
please contact Microsoft Technical Support. For information on contacting
Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp

Acknowledgements
================
Microsoft was first notified of this issue by PC World in Denmark.

Revisions
=========
 - October 23, 1998: Bulletin Created

For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security

-----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.


(c) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.