Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More Internet Explorer zone confusion

From: walt () BLARG NET (Walt Armour)
Date: Mon, 8 Mar 1999 00:18:10 -0800

I would agree that these are still issues but there is a difference
between them and the original problem.

With the original problem any site could redirect you to a site and make
it look like Local Intranet simply by using the 'http://031713501415/'
format.

With these two new issues someone must have direct knowledge about your
machine's configuration or have direct access to your machine in order to
make a not-quite-too-common configuration change.  If either of these
situations occurs then the safety level of my browser will quickly become
the least of my worries.  :)

IMO Microsoft is right in saying that the problems are (marginally)
different.  Whether or not their method for determining "local intranet"
is right is a completely different subject.

walt


On Fri, 5 Mar 1999, Jim Paris wrote:


Even after the patch described in Microsoft Security Bulletin MS98-016
(http://www.microsoft.com/security/bulletins/ms98-016.asp), IE4 still
has big problems with distinguishing between sites that belong in the
"Internet Zone" and sites that belong in the "Local Intranet Zone".

MS98-016 dealt with addresses such as http://031713501415/, which
resolve to Internet hosts but are categorized as being in the "Local
Intranet Zone".

I've found two cases where the problem still exists.  The first is when
the user has the "Domain Suffix Search Order" in the TCP/IP DNS settings
set to include domains such as "com".  In that case, the address
      http://microsoft/
will retrieve the page at
      http://microsoft.com/
but it will be considered to be in the "Local Intranet Zone".

The second case occurs when a host has an assigned alias in the hosts
table (C:\WINDOWS\HOSTS).  A host table entry such as:
      207.46.131.13   hello
will cause the URL
      http://hello/
to retrieve the page at http://207.45.131.13/, but (yep, you guess it)
Internet Explorer still considers it to be in the "Local Intranet Zone".

This has security implications, since settings for the Local Intranet
Zone may be (and, by default, ARE) less secure than those for the
Internet Zone.


And the funny part?  Microsoft's response when I told them this:

--8<---cut here-----------------------------------------

Hi Jim -

Had a talk with one of the IE developers, and this behavior is correct.
Here's why: it's impossible to tell from an IP address whether it's internal
or external.  100.100.100.100, or any other address, could be either
internal or external, depending on whether you're behind a firewall or not.
That means that IE has to rely on the URL.  By convention, an URL that does
not end with a "dot-something" (.com, .edu, .gov, etc) is assumed to be an
internal site.  I'm told that this is how all web browsers make the
distinction.  You have to make specific reconfigurations to allow the
dotless URLs to resolve externally. Thanks,

Secure () Microsoft Com

--8<---cut here-----------------------------------------


"This behavior is correct"?!?!?!  Give me a break.  They obviously
didn't think so when they released the MS98-016 bulletin.


Jim Paris
jim () jtan com
Previous By Date Next
Previous By Thread Next

Current thread: