Next message: mea culpa: "[ISN] NT 4.0 SP4 is actually out"
http://www.msnbc.com/news/206992.asp#BODY
IE can treat Internet sites as if they were on intranet
By Bruce Brown
BUGNET
Oct. 20 — Posters on a Danish newsgroup have discovered a new security
hole in Microsoft Internet Explorer. Microsoft has confirmed the potential
security breach, dubbed the “Look Ma, No Dots” bug.
“THE BUG MAKES IT possible to circumvent the higher security levels
that can be set in Internet Explorer for Internet sites (as opposed to
intranet sites) by a simple calculation based on the site’s IP address,”
according to Jakob Paikin, one of the bug’s Danish discoverers.
While Internet addresses are normally expressed in their DNS form
of recognizable words (e.g., www.bugnet.com), every named URL address on
the Web can be translated into a numerical IP address. Normally IP
addresses are displayed as four numbers separated by dots (e.g.,
207.158.205.117).
A site can be accessed by either the name or the IP address. So,
for example, both http://www.bugnet.com and http://207.158.205.117 display
the main BugNet free page. But every IP address can also be recalculated
to a single number. Here’s how. Multiply the first part by 256 cubed (256
to the third power), multiply the second by 256 squared, multiply the
third by 256, multiply the fourth by 1 — and now add all the values
together.
Recalculating the address for BugNet in this manner yields
3483290997. And in fact, clicking http://3483290997 will take you to the
same BugNet page. Try it. (Note: If you are accessing the Internet
through a proxy server, you will most likely get a “site not found” error.
Most proxies automatically append a default domain to addresses not
containing dots.)
The problem for Internet Explorer 4 comes from the fact that
Microsoft’s browser assumes that any address not containing dots is an
intranet address, and applies security accordingly.
“Since intranet security is often set lower than for Internet
sites, the user may unknowingly allow an Internet site to operate at an
intranet security level,” according to Paikin.
The bug poses a problem in the following scenario:
[*] 1) The user has set a lower security level for the intranet Security
Zone.
[*] 2) The user accesses a Web site that contains a “malicious” ActiveX
component or Java applet).
[*] 3) The malicious Web site is accessed via a link that uses the
compressed format like http://3483290997.
It is worth noting that the user would have to modify IE4’s default
intranet Security Zone settings to be affected. Also, many corporate users
with access to both the Internet and an intranet are served by proxy
servers, which would most likely block the hole, according to Bob Minor of
CyberMill in St. Louis.
A Microsoft spokesman in Denmark told PC World Denmark that “our
developers are currently working to address this issue. In the meantime,
users can protect themselves by returning their intranet zone to the
default settings and if prompted to download content from the Internet, it
is important for users to use safe computing practices.”
The problem apparently affects only Internet Explorer 4 for
Windows. Netscape and Internet Explorer on the Mac are not affected.
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 13:08:25 PDT