Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More Internet Explorer zone confusion

From: bugtraq.user () parity mit edu (Jeremy Nimmer)
Date: Mon, 8 Mar 1999 03:56:27 -0500


MS98-016 dealt with addresses such as http://031713501415/
...
user has the "Domain Suffix Search Order" in the TCP/IP DNS settings
...
The second case occurs when a host has an assigned alias in the hosts
...
"This behavior is correct"?!?!?!  Give me a break.  They obviously
didn't think so when they released the MS98-016 bulletin.

Jim Paris
jim () jtan com


The difference between MS98-016 and your examples is simple.  The bulletin
addressed an issue where an external site could, without your control, fool
your browser into thinking a remote site was "local intranet".  In your
examples, the user must choose specific settings to allow the problem to
occur.  If you are concerned about the problem, simply remove .com, etc.
from your DNS suffix search, and don't put nasty hosts in your hosts file.

The zone settings are not meant to be rock-solid security protection.  If
they pose a risk to you, set all zones to the maximum security.  This was
all already talked about when the above-mentioned bulletin came out.

In the end, this is not a "bug" in the browser - it's a configuration
problem.  While worthy of mention, it does not deserve flamage.

Thanks,
-= remmiN ymereJ | Jeremy Nimmer =-
Previous By Date Next
Previous By Thread Next

Current thread: