Even after the patch described in Microsoft Security Bulletin MS98-016 (http://www.microsoft.com/security/bulletins/ms98-016.asp), IE4 still has big problems with distinguishing between sites that belong in the "Internet Zone" and sites that belong in the "Local Intranet Zone". MS98-016 dealt with addresses such as http://031713501415/, which resolve to Internet hosts but are categorized as being in the "Local Intranet Zone". I've found two cases where the problem still exists. The first is when the user has the "Domain Suffix Search Order" in the TCP/IP DNS settings set to include domains such as "com". In that case, the address http://microsoft/ will retrieve the page at http://microsoft.com/ but it will be considered to be in the "Local Intranet Zone". The second case occurs when a host has an assigned alias in the hosts table (C:\WINDOWS\HOSTS). A host table entry such as: 207.46.131.13 hello will cause the URL http://hello/ to retrieve the page at http://207.45.131.13/, but (yep, you guess it) Internet Explorer still considers it to be in the "Local Intranet Zone". This has security implications, since settings for the Local Intranet Zone may be (and, by default, ARE) less secure than those for the Internet Zone. And the funny part? Microsoft's response when I told them this: --8<---cut here----------------------------------------- Hi Jim - Had a talk with one of the IE developers, and this behavior is correct. Here's why: it's impossible to tell from an IP address whether it's internal or external. 100.100.100.100, or any other address, could be either internal or external, depending on whether you're behind a firewall or not. That means that IE has to rely on the URL. By convention, an URL that does not end with a "dot-something" (.com, .edu, .gov, etc) is assumed to be an internal site. I'm told that this is how all web browsers make the distinction. You have to make specific reconfigurations to allow the dotless URLs to resolve externally. Thanks, Secureat_private --8<---cut here----------------------------------------- "This behavior is correct"?!?!?! Give me a break. They obviously didn't think so when they released the MS98-016 bulletin. Jim Paris jimat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:10 PDT