More Internet Explorer zone confusion

From: Jim Paris (jimat_private)
Date: Fri Mar 05 1999 - 18:53:18 PST

  • Next message: Marc SCHAEFER: "Re: Linux /usr/bin/gnuplot overflow" 

    Even after the patch described in Microsoft Security Bulletin MS98-016
(http://www.microsoft.com/security/bulletins/ms98-016.asp), IE4 still
has big problems with distinguishing between sites that belong in the
"Internet Zone" and sites that belong in the "Local Intranet Zone".

MS98-016 dealt with addresses such as http://031713501415/, which
resolve to Internet hosts but are categorized as being in the "Local
Intranet Zone".

I've found two cases where the problem still exists.  The first is when
the user has the "Domain Suffix Search Order" in the TCP/IP DNS settings
set to include domains such as "com".  In that case, the address
	http://microsoft/
will retrieve the page at
	http://microsoft.com/
but it will be considered to be in the "Local Intranet Zone".

The second case occurs when a host has an assigned alias in the hosts
table (C:\WINDOWS\HOSTS).  A host table entry such as:
	207.46.131.13	hello
will cause the URL
	http://hello/
to retrieve the page at http://207.45.131.13/, but (yep, you guess it)
Internet Explorer still considers it to be in the "Local Intranet Zone".

This has security implications, since settings for the Local Intranet
Zone may be (and, by default, ARE) less secure than those for the
Internet Zone.


And the funny part?  Microsoft's response when I told them this:

--8<---cut here-----------------------------------------

Hi Jim -

Had a talk with one of the IE developers, and this behavior is correct.
Here's why: it's impossible to tell from an IP address whether it's internal
or external.  100.100.100.100, or any other address, could be either
internal or external, depending on whether you're behind a firewall or not.
That means that IE has to rely on the URL.  By convention, an URL that does
not end with a "dot-something" (.com, .edu, .gov, etc) is assumed to be an
internal site.  I'm told that this is how all web browsers make the
distinction.  You have to make specific reconfigurations to allow the
dotless URLs to resolve externally. Thanks,

Secureat_private

--8<---cut here-----------------------------------------


"This behavior is correct"?!?!?!  Give me a break.  They obviously
didn't think so when they released the MS98-016 bulletin.


Jim Paris
jimat_private

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:10 PDT