[9828] in bugtraq
Re: More Internet Explorer zone confusion
daemon@ATHENA.MIT.EDU (Jeremy Nimmer)
Mon Mar 8 11:33:51 1999
Date: Mon, 8 Mar 1999 03:56:27 -0500
Reply-To: bugtraq.user@parity.mit.edu
From: Jeremy Nimmer <bugtraq.user@PARITY.MIT.EDU>
X-To: jim@jtan.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199903060253.VAA03581@io.jtan.com>
>MS98-016 dealt with addresses such as http://031713501415/
>...
>user has the "Domain Suffix Search Order" in the TCP/IP DNS settings
>...
>The second case occurs when a host has an assigned alias in the hosts
>...
>"This behavior is correct"?!?!?! Give me a break. They obviously
>didn't think so when they released the MS98-016 bulletin.
>
>Jim Paris
>jim@jtan.com
The difference between MS98-016 and your examples is simple. The bulletin
addressed an issue where an external site could, without your control, fool
your browser into thinking a remote site was "local intranet". In your
examples, the user must choose specific settings to allow the problem to
occur. If you are concerned about the problem, simply remove .com, etc.
from your DNS suffix search, and don't put nasty hosts in your hosts file.
The zone settings are not meant to be rock-solid security protection. If
they pose a risk to you, set all zones to the maximum security. This was
all already talked about when the above-mentioned bulletin came out.
In the end, this is not a "bug" in the browser - it's a configuration
problem. While worthy of mention, it does not deserve flamage.
Thanks,
-= remmiN ymereJ | Jeremy Nimmer =-
