Update Available for Dotless IP Address Security Issue
ID: Q168617
|
The information in this article applies to:
-
Microsoft Windows 98
-
Microsoft Internet Explorer versions 4.0, 4.01 for Windows 95
-
Microsoft Internet Explorer versions 4.0, 4.01 for Windows NT 4.0 (Alpha and x86)
-
Microsoft Internet Explorer versions 4.0, 4.01 for Windows 3.1
-
Microsoft Internet Explorer versions 4.0, 4.01 for Windows NT 3.51
-
Microsoft Internet Explorer version 4.01 for UNIX on HPUX
-
Microsoft Internet Explorer version 4.01 for UNIX on Sun Solaris
SUMMARY
Microsoft has released an update that addresses a potential security
issue involving the implementation of Security Zones in Internet Explorer.
Additional information about this issue is available from the following
Microsoft Web sites:
Updates are available for the following products:
- Microsoft Internet Explorer 4.01 for Windows 95
- Microsoft Internet Explorer 4.01 for Windows NT 4.0 (Alpha and x86)
- Microsoft Windows 98
- Microsoft Internet Explorer 4.01 for Windows 3.1
- Microsoft Internet Explorer 4.01 for Windows NT 3.51
This issue may enable a malicious Web site administrator to misrepresent
the Web address (URL) of an Internet Web site, enabling the site to be
treated by Internet Explorer's Security Zones feature as if it was located
on a local Intranet.
By default, the settings for the local Intranet zone are similar to those
for the Internet zone with regard to downloading executable code,
(including ActiveX controls and plug-ins) in that you are prompted to
confirm the download process before it begins. However, you may be at risk
if you have altered your local Intranet zone settings to enable automatic
downloading of executable content. Microsoft has not received any reports
of adverse effects due to this issue.
MORE INFORMATION
NOTE: After you apply this update, computers on your local Intranet with
completely numeric computer names are treated as if they are in the
Internet zone. Note that Microsoft does not recommend using all numeric
computer names as it can cause some utilities to misinterpret the names
as IP addresses. This is documented in the following article in the
Microsoft Knowledge Base:
ARTICLE-ID: <LINK TYPE="ARTICLE" VALUE="Q190294">Q190294</LINK>
TITLE : Use of all Numeric NetBIOS Names Can Cause Problems
To work around this issue if you must use an all numeric computer name,
add the computer's IP address to Internet Explorer's Proxy Server
exceptions list. To do this, use the appropriate method:
NOTE: Perform the following steps only on computers that use a static IP
address.
Microsoft Windows 95/98 or Microsoft Windows NT 4.0 or Later
- Click Start, click Run, type "ping <all numeric computer name>" where
<all numeric computer name> is the computer's all numeric computer
name, and then click OK.
- Note the computer's IP address, type "exit" (without quotation marks),
and then press ENTER.
- Click Start, point to Settings, click Control Panel, and then
double-click Internet
- Click the Connections tab, and then click Advanced under Proxy Server.
- In the Exceptions box, enter the IP address that you noted in step 2,
click OK, and then click OK.
Microsoft Windows 3.1x or Microsoft Windows NT 3.51
- In Program Manager, click Run on the File menu.
- In Windows NT 3.51, type "cmd" (without quotation marks), and then
click OK. In Microsoft Windows 3.1x, type "command" (without quotation
marks), and then click OK.
- At the command prompt, type "ping <all numeric computer name>" where
<all numeric computer name> is the computer's all numeric computer
name, and then press ENTER.
- Note the computer's IP address, type "exit" (without quotation marks),
and then press ENTER.
- In Internet Explorer, click Internet Options on the View menu, and then
click the Connection tab.
- Click Advanced, and then in the "Do not use proxy server for addresses
beginning with:" box, type the IP address you noted in step 4, click
OK, and then click OK.
Update Information by Product:
NOTE: If you are using Internet Explorer 4.0, you must install Internet
Explorer 4.01 in order to apply this update. You can install
Internet Explorer 4.01 with Service Pack 1 from the following Microsoft
Web site:
<LINK TYPE="GENERIC" VALUE="http://www.microsoft.com/ie/download">http://www.microsoft.com/ie/download</LINK>
Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows
95:
File Name Size Date Version
-------------------------------------------------------------
Urlmon.dll 517360 10/21/98 4.72.3510.2000
Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows
NT 4.0 (x86):
File Name Size Date Version
-------------------------------------------------------------
Urlmon.dll 517360 10/21/98 4.72.3510.2000
Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows
NT 4.0 (Alpha):
File Name Size Date Version
-------------------------------------------------------------
Urlmon.dll 828688 10/21/98 4.72.3510.2000
Windows 98:
File Name Size Date Version
-------------------------------------------------------------
Urlmon.dll 517360 10/21/98 4.72.3510.2000
Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51:
File Name Size Date Version
------------------------------------------------------------
Urlmon16.dll 351968 10/21/98 4.1.2510.2100
Reducing Your Risk If You Cannot Apply the Patch
If you are unable to apply the patch, you can reduce your risk of being
affected by this problem by adjusting your Intranet Zone settings to be
the same as those used by the Internet Zone. To do this, perform the
following steps:
- Click Start, point to Settings, and then click Control Panel.
- Double-click Internet, and then click the Security tab.
- In the Zone box, click local Intranet Zone.
- Modify the local Intranet Zone security level or custom settings to
match those in the Internet Zone.
- Click OK to close the Internet Properties sheet.
Note: The default configuration for both the Internet Zone and the local
Intranet zone is "Medium Security". However, there is one difference
between these defaults: the local Intranet Zone enables the automatic use
of NTLM challenge response authentication with local Intranet machines,
while this option is disabled by default when connecting to servers in the
Internet Zone. If you need to change this setting, perform the following
steps:
- Click Start, point to Settings, and then click Control Panel.
- Double-click Internet, and then click the Security tab.
- In the Zone box, click local Intranet Zone.
- Select the level of security that you wish to use under User
Identification | Logon.
- Click OK to close the Security Settings dialog, then click OK to close
the Internet Properties sheet.
Additional query words:
4.00 95 98
Keywords : msiew95 msient msiew31 msieunix
Version : WINDOWS:
Platform : WINDOWS
Issue type : kbinfo
Last Reviewed: April 2, 1999