COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    Win32

PROBLEM

    Patrick  Gosling  found   following.   In  certain   cirumstances,
    Internet Explorer 5.01 (observed on  NT 4.0 SP6 - other  varieties
    of Windows not tested) believes that a URL such as http://ai/ is

        a) functionally identical to http://ai./
        b) in the "local intranet zone", as it has no '.' in the  host
           part.

    Implication:  an  unfriendly  manager  of  a  top level domain, or
    someone who  manages to  take control  of a  top level domain, can
    create an A-record in the DNS  for the top level component, run  a
    web server  on the  relevant machine,  and take  advantage of  the
    fact that  Internet Explorer  5.01 with  default security settings
    will do comparatively unsafe  things when visiting web  pages that
    it believes to be in the "local intranet zone".

    Among the various unsafe things it will do is to attempt automatic
    NTLM authentication.   What this  means is  that a  subversive web
    server can require NTLM  authentication, and IE will  volunteer an
    NTLM  authentication  attempt  without  prompting  the user.  This
    opens up a number of serious man-in-the-middle attacks.

    There  appear  to  be  some  subtleties  to  this  bug.   In  some
    circumstances, IE will refuse to  load http://ai/ , but will  load
    it from cache  _and_ regard it  as in the  local intranet zone  if
    you  visit  http://ai./  beforehand.   However,  it will also then
    (apparently) load  other uncached  pages from  http://ai/somewhere
    direct _and_ regard them as being in the local intranet zone.

SOLUTION

    Nothing yet.