Update Available for Dotless IP Address Security Issue

ID: Q168617

The information in this article applies to:

Microsoft Windows 98
Microsoft Internet Explorer versions 4.0, 4.01 for Windows 95
Microsoft Internet Explorer versions 4.0, 4.01 for Windows NT 4.0 (Alpha and x86)
Microsoft Internet Explorer versions 4.0, 4.01 for Windows 3.1
Microsoft Internet Explorer versions 4.0, 4.01 for Windows NT 3.51
Microsoft Internet Explorer version 4.01 for UNIX on HPUX
Microsoft Internet Explorer version 4.01 for UNIX on Sun Solaris

SUMMARY

Microsoft has released an update that addresses a potential security issue involving the implementation of Security Zones in Internet Explorer. Additional information about this issue is available from the following Microsoft Web sites:

http://www.microsoft.com/ie/security/dotless.htm

http://www.microsoft.com/security/bulletins/ms98-016.asp

Updates are available for the following products:

Microsoft Internet Explorer 4.01 for Windows 95

Microsoft Internet Explorer 4.01 for Windows NT 4.0 (Alpha and x86)

Microsoft Windows 98

Microsoft Internet Explorer 4.01 for Windows 3.1

Microsoft Internet Explorer 4.01 for Windows NT 3.51

This issue may enable a malicious Web site administrator to misrepresent the Web address (URL) of an Internet Web site, enabling the site to be treated by Internet Explorer's Security Zones feature as if it was located on a local Intranet.

By default, the settings for the local Intranet zone are similar to those for the Internet zone with regard to downloading executable code, (including ActiveX controls and plug-ins) in that you are prompted to confirm the download process before it begins. However, you may be at risk if you have altered your local Intranet zone settings to enable automatic downloading of executable content. Microsoft has not received any reports of adverse effects due to this issue.

MORE INFORMATION

NOTE: After you apply this update, computers on your local Intranet with completely numeric computer names are treated as if they are in the Internet zone. Note that Microsoft does not recommend using all numeric computer names as it can cause some utilities to misinterpret the names as IP addresses. This is documented in the following article in the Microsoft Knowledge Base:


   ARTICLE-ID: <LINK TYPE="ARTICLE" VALUE="Q190294">Q190294</LINK>


   TITLE     : Use of all Numeric NetBIOS Names Can Cause Problems

To work around this issue if you must use an all numeric computer name, add the computer's IP address to Internet Explorer's Proxy Server exceptions list. To do this, use the appropriate method:

NOTE: Perform the following steps only on computers that use a static IP address.

Microsoft Windows 95/98 or Microsoft Windows NT 4.0 or Later

Click Start, click Run, type "ping <all numeric computer name>" where <all numeric computer name> is the computer's all numeric computer name, and then click OK.

Note the computer's IP address, type "exit" (without quotation marks), and then press ENTER.

Click Start, point to Settings, click Control Panel, and then double-click Internet

Click the Connections tab, and then click Advanced under Proxy Server.

In the Exceptions box, enter the IP address that you noted in step 2, click OK, and then click OK.

Microsoft Windows 3.1x or Microsoft Windows NT 3.51

In Program Manager, click Run on the File menu.

In Windows NT 3.51, type "cmd" (without quotation marks), and then click OK. In Microsoft Windows 3.1x, type "command" (without quotation marks), and then click OK.

At the command prompt, type "ping <all numeric computer name>" where <all numeric computer name> is the computer's all numeric computer name, and then press ENTER.

Note the computer's IP address, type "exit" (without quotation marks), and then press ENTER.

In Internet Explorer, click Internet Options on the View menu, and then click the Connection tab.

Click Advanced, and then in the "Do not use proxy server for addresses beginning with:" box, type the IP address you noted in step 4, click OK, and then click OK.

Update Information by Product:

NOTE: If you are using Internet Explorer 4.0, you must install Internet Explorer 4.01 in order to apply this update. You can install Internet Explorer 4.01 with Service Pack 1 from the following Microsoft Web site:


   <LINK TYPE="GENERIC" VALUE="http://www.microsoft.com/ie/download">http://www.microsoft.com/ie/download</LINK>

Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows 95:


   File Name            Size           Date       Version
   -------------------------------------------------------------
   Urlmon.dll           517360         10/21/98   4.72.3510.2000

Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 (x86):


   File Name            Size           Date       Version
   -------------------------------------------------------------
   Urlmon.dll           517360         10/21/98   4.72.3510.2000

Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 (Alpha):


   File Name            Size           Date       Version
   -------------------------------------------------------------
   Urlmon.dll           828688         10/21/98   4.72.3510.2000

Windows 98:


   File Name            Size           Date       Version
   -------------------------------------------------------------
   Urlmon.dll           517360         10/21/98   4.72.3510.2000

Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51:


   File Name            Size           Date       Version
   ------------------------------------------------------------
   Urlmon16.dll         351968         10/21/98   4.1.2510.2100

Reducing Your Risk If You Cannot Apply the Patch

If you are unable to apply the patch, you can reduce your risk of being affected by this problem by adjusting your Intranet Zone settings to be the same as those used by the Internet Zone. To do this, perform the following steps:

Click Start, point to Settings, and then click Control Panel.

Double-click Internet, and then click the Security tab.

In the Zone box, click local Intranet Zone.

Modify the local Intranet Zone security level or custom settings to match those in the Internet Zone.

Click OK to close the Internet Properties sheet.

Note: The default configuration for both the Internet Zone and the local Intranet zone is "Medium Security". However, there is one difference between these defaults: the local Intranet Zone enables the automatic use of NTLM challenge response authentication with local Intranet machines, while this option is disabled by default when connecting to servers in the Internet Zone. If you need to change this setting, perform the following steps:

Click Start, point to Settings, and then click Control Panel.

Double-click Internet, and then click the Security tab.

In the Zone box, click local Intranet Zone.

Select the level of security that you wish to use under User Identification | Logon.

Click OK to close the Security Settings dialog, then click OK to close the Internet Properties sheet.

Additional query words: 4.00 95 98


Keywords          : msiew95 msient msiew31 msieunix 
Version           : WINDOWS:
Platform          : WINDOWS 
Issue type        : kbinfo

Last Reviewed: April 2, 1999