COMMAND

    MS IE

SYSTEMS AFFECTED

    - MS IE 4.0, 4.01 and 4.01 SP1 on WinNT 4.0, Win95
    - MS Win 98, with integrated IE
    - MS IE 4.0 and 4.01 for WfW 3.1 and WinNT 3.51
    - MS IE 4.01 for UNIX

PROBLEM

    Sune  Hansen  discovered  a  security  problem which affects Trust
    Zones within Internet  Explorer 4.0+.   Basically, if you  provide
    IE with

        http://3475932041

    you'll  arrive  at  Microsoft's  web  site.   However,  it will be
    listed, and treated, as part  of your Local Intranet Zone  when in
    fact it should be part of any other zone.  For anyone who has made
    no modifications to their zones (i.e. using the defaults  supplied
    with IE), there  is no difference  since both Local  Intranet Zone
    and Internet Zone are set to "Medium" security.  Except one:

        User authentication->Logon
        "Automatic logon only in intranet zone"

    In other words IE4 will send your NT username and hashed  password
    just as IE3 still does.

    If, however,  modifications have  been made  to the  zone security
    configuration such that,  for example, the  Internet Zone is  more
    restrictive  than  the  Local  Intranet  Zone,  then the fact such
    32-bit  URLs  end  up  being  seen  by  IE as trusted can create a
    problem.   IE appears  to assume  that anything  it sees without a
    period in the URL should be treated as part of the Local  Intranet
    Zone.  Winsock then takes  the address and properly translates  it
    to a reachable IP  address (you could just  as easily use PING  or
    some other utility with such an address).

    Sune tested this on Windows '98,  and Russ Cooper tested it on  NT
    4.0 SP4 RC2 with IE 4.0 (SP1;2735 - 4.72.3110.8), and both  caused
    the same problem.

SOLUTION

    Anyone  who  is  using  Trust  Zones  should understand that they,
    alone, will not  prevent a site  from placing a  URL in the  above
    fashion and causing a site to  be viewed as a Local Intranet  Zone
    site.  Proxies, and Firewalls,  however, are not affected by  this
    and  will  properly  enforce  restrictions  if so configured.  The
    problem appears to  reside entirely within  the mechanism that  IE
    uses to determine if something is part of the Local Intranet  Zone
    when no servers are configured in that zone.  Microsoft is working
    on this issue.

    On IE 4.0 (4.72.3110.1 german  version w/ win98) the bug  seems to
    rely on the option  "add all local sites  which are not listed  in
    another zone"  (or however  the english  text for  that will be) -
    when You  uncheck this  option (internet  options/security; choose
    "local intranet  zone"/add sites)  the 32bit-URLs  will be treated
    correctly as internet zone sites.   So, as a workaround it  should
    do to add all local sites  manually to the intranet list with  the
    "advanced" option

    Microsoft has published the following Knowledge Base (KB)  article
    on this issue:

        http://support.microsoft.com/support/kb/articles/q168/6/17.asp

    Windows 98
    ----------
        Windows  98  customers  can  obtain  the  patch  using Windows
        Update.  To  do this, launch  Windows Update from  the Windows
        Start Menu and click "Product Updates." When prompted,  select
        'Yes' to allow Windows Update to determine whether this  patch
        and  other  updates  are  needed  by  your  computer.  If your
        computer does need this patch,  you will find it listed  under
        the "Critical Updates" section of the page.

    Internet Explorer 4
    -------------------
        Customers  using   Internet  Explorer   4  can   obtain  patch
        information for specific platforms from the Internet  Explorer
        Security web site,

        http://www.microsoft.com/ie/security/dotless.htm

    Administrative Workaround
    -------------------------
    If you are unable to apply the patch, you can reduce your risk  of
    being affected  by this  problem by  adjusting your  Intranet Zone
    settings to be the same as those used by the Internet Zone. To  do
    this, perform the following steps:

        1. Click  Start,  point  to  Settings, and then click  Control
           Panel.
        2. Double-click Internet, and then click the Security tab.
        3. In the Zone box, click local Intranet Zone.
        4. Modify  the local  Intranet Zone  security level  or custom
           settings to match those in the Internet Zone.
        5. Click OK to close the Internet Properties sheet.

    Note: The default configuration for both the Internet Zone and the
    Local Intranet Zone  is "Medium Security".  However, there is  one
    difference between these defaults: the local Intranet Zone enables
    the automatic use of  NTLM challenge response authentication  with
    local Intranet machines, while this option is disabled by  default
    when connecting to  servers in the  Internet Zone. If  you need to
    change this setting, perform the following steps:

        1. Click  Start,  point  to  Settings, and then click  Control
           Panel.
        2. Double-click Internet, and then click the Security tab.
        3. In the Zone box, click local Intranet Zone.
        4. Select  the level  of security  that you  wish to use under
           User Identification | Logon.
        5. Click OK to close the Security Settings dialog, then  click
           OK to close the Internet 6. Properties sheet.