> The difference between MS98-016 and your examples is simple. The bulletin > addressed an issue where an external site could, without your control, fool > your browser into thinking a remote site was "local intranet". And this can occur with my examples as well. I didn't control it at all. > In your > examples, the user must choose specific settings to allow the problem to > occur. If you are concerned about the problem, simply remove .com, etc. > from your DNS suffix search, and don't put nasty hosts in your hosts file. Just because I added a DNS suffix search order and put hosts into my hosts file does not (or, at least, SHOULD not) mean that I am choosing "specific settings to allow the problem to occur". How was I supposed to know that simplifying my life by adding a search suffix of ".com" was opening me up to a vulnerability? > In the end, this is not a "bug" in the browser - it's a configuration > problem. While worthy of mention, it does not deserve flamage. No, this is a bug in the browser. Changing something over at point A shouldn't affect my security at point B. -jim
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:16 PDT