[ISN] New IE bug "No Dots Bug"

From: mea culpa (jerichot_private)
Date: Tue Oct 20 1998 - 18:01:42 PDT

  • Next message: mea culpa: "[ISN] NT 4.0 SP4 is actually out"

    IE can treat Internet sites as if they were on intranet
                                    By Bruce Brown
    Oct. 20 — Posters on a Danish newsgroup have discovered a new security
    hole in Microsoft Internet Explorer. Microsoft has confirmed the potential
    security breach, dubbed the “Look Ma, No Dots” bug. 
           “THE BUG MAKES IT possible to circumvent the higher security levels
    that can be set in Internet Explorer for Internet sites (as opposed to
    intranet sites) by a simple calculation based on the site’s IP address,”
    according to Jakob Paikin, one of the bug’s Danish discoverers.
           While Internet addresses are normally expressed in their DNS form
    of recognizable words (e.g., www.bugnet.com), every named URL address on
    the Web can be translated into a numerical IP address. Normally IP
    addresses are displayed as four numbers separated by dots (e.g., 
           A site can be accessed by either the name or the IP address. So,
    for example, both http://www.bugnet.com and display
    the main BugNet free page. But every IP address can also be recalculated
    to a single number.  Here’s how. Multiply the first part by 256 cubed (256
    to the third power), multiply the second by 256 squared, multiply the
    third by 256, multiply the fourth by 1 — and now add all the values
           Recalculating the address for BugNet in this manner yields
    3483290997. And in fact, clicking http://3483290997 will take you to the
    same BugNet page. Try it. (Note:  If you are accessing the Internet
    through a proxy server, you will most likely get a “site not found” error.
    Most proxies automatically append a default domain to addresses not
    containing dots.) 
           The problem for Internet Explorer 4 comes from the fact that
    Microsoft’s browser assumes that any address not containing dots is an
    intranet address, and applies security accordingly. 
           “Since intranet security is often set lower than for Internet
    sites, the user may unknowingly allow an Internet site to operate at an
    intranet security level,” according to Paikin. 
           The bug poses a problem in the following scenario: 
    [*] 1) The user has set a lower security level for the intranet Security
    [*] 2) The user accesses a Web site that contains a “malicious” ActiveX
    component or Java applet). 
    [*] 3) The malicious Web site is accessed via a link that uses the
    compressed format like http://3483290997. 
           It is worth noting that the user would have to modify IE4’s default
    intranet Security Zone settings to be affected. Also, many corporate users
    with access to both the Internet and an intranet are served by proxy
    servers, which would most likely block the hole, according to Bob Minor of
    CyberMill in St. Louis. 
           A Microsoft spokesman in Denmark told PC World Denmark that “our
    developers are currently working to address this issue. In the meantime,
    users can protect themselves by returning their intranet zone to the
    default settings and if prompted to download content from the Internet, it
    is important for users to use safe computing practices.”
           The problem apparently affects only Internet Explorer 4 for
    Windows. Netscape and Internet Explorer on the Mac are not affected. 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:08:25 PDT