I would agree that these are still issues but there is a difference between them and the original problem. With the original problem any site could redirect you to a site and make it look like Local Intranet simply by using the 'http://031713501415/' format. With these two new issues someone must have direct knowledge about your machine's configuration or have direct access to your machine in order to make a not-quite-too-common configuration change. If either of these situations occurs then the safety level of my browser will quickly become the least of my worries. :) IMO Microsoft is right in saying that the problems are (marginally) different. Whether or not their method for determining "local intranet" is right is a completely different subject. walt On Fri, 5 Mar 1999, Jim Paris wrote: > Even after the patch described in Microsoft Security Bulletin MS98-016 > (http://www.microsoft.com/security/bulletins/ms98-016.asp), IE4 still > has big problems with distinguishing between sites that belong in the > "Internet Zone" and sites that belong in the "Local Intranet Zone". > > MS98-016 dealt with addresses such as http://031713501415/, which > resolve to Internet hosts but are categorized as being in the "Local > Intranet Zone". > > I've found two cases where the problem still exists. The first is when > the user has the "Domain Suffix Search Order" in the TCP/IP DNS settings > set to include domains such as "com". In that case, the address > http://microsoft/ > will retrieve the page at > http://microsoft.com/ > but it will be considered to be in the "Local Intranet Zone". > > The second case occurs when a host has an assigned alias in the hosts > table (C:\WINDOWS\HOSTS). A host table entry such as: > 207.46.131.13 hello > will cause the URL > http://hello/ > to retrieve the page at http://207.45.131.13/, but (yep, you guess it) > Internet Explorer still considers it to be in the "Local Intranet Zone". > > This has security implications, since settings for the Local Intranet > Zone may be (and, by default, ARE) less secure than those for the > Internet Zone. > > > And the funny part? Microsoft's response when I told them this: > > --8<---cut here----------------------------------------- > > Hi Jim - > > Had a talk with one of the IE developers, and this behavior is correct. > Here's why: it's impossible to tell from an IP address whether it's internal > or external. 100.100.100.100, or any other address, could be either > internal or external, depending on whether you're behind a firewall or not. > That means that IE has to rely on the URL. By convention, an URL that does > not end with a "dot-something" (.com, .edu, .gov, etc) is assumed to be an > internal site. I'm told that this is how all web browsers make the > distinction. You have to make specific reconfigurations to allow the > dotless URLs to resolve externally. Thanks, > > Secureat_private > > --8<---cut here----------------------------------------- > > > "This behavior is correct"?!?!?! Give me a break. They obviously > didn't think so when they released the MS98-016 bulletin. > > > Jim Paris > jimat_private >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:13 PDT