|
|
|
Internet Explorer 4.0 (with the latest patches available, SP1) was found to be vulnerable to a security compromise, this compromise enables a malicious user to direct the browser to a web page, while making Internet Explorer think it is still in the "Local Intranet Zone" thus making the security settings less restrictive.
|
|
Credit:
Microsoft's security home page can be found here: http://www.microsoft.com/security.
Microsoft's explanation of Security Zones can be found here: http://www.microsoft.com/ie/ie40/features/sec-zones.htm.
Microsoft released a patch, it is described at: http://www.microsoft.com/security/bulletins/ms98-016.htm.
|
|
Internet Explorer 4.0 uses Zones to create buffer areas, where security parameters can be set to be less restrictive, so that additional features and options can be enabled (For example the use of ActiveX can be enabled while the user browses through the company's Intranet, and disabled while browsing the Internet).
Internet Explorer 4.0 has four predefined zones: Internet, Local Intranet, Trusted Sites and Restricted Sites. Using these settings a user can define what the browser can access while it shows HTML, where Trusted Sites and Local Intranet have by default a less restrictive access (meaning, more access to computer resources).
This security compromise happens due to the way Internet Explorer 4.0 defines the type of site it has encountered (Internet, Local Intranet, Trusted Sites or Restricted Sites), it does so by checking the URL and looking for "signs" of the web site's type (e.g. a URL that points to "http://webserver", would be interpreted as Local Intranet). A malicious user could point the browser to the following URL: http://3475932041 causing it to connect to Microsoft's web site but showing it as being in a Local Intranet zone.
This number 3475932041 is the numeric presentation of the IP address (this is calculated by converting the IP address, a.b.c.d, to d+c*16+b*256+a*4096. This is done automatically by the Windows's Socket stack.
The bug was found by Sune Hansen, the Web master of http://www.WorldWideWait.com.
|
|
|