[9839] in bugtraq
Re: More Internet Explorer zone confusion
daemon@ATHENA.MIT.EDU (Jim Paris)
Mon Mar 8 14:57:48 1999
Date: Mon, 8 Mar 1999 14:17:43 -0500
Reply-To: Jim Paris <jim@JTAN.COM>
From: Jim Paris <jim@JTAN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <000201be6941$8df9ed70$9600f812@parity.mit.edu> from "Jeremy
Nimmer" at Mar 8, 99 03:56:27 am
> The difference between MS98-016 and your examples is simple. The bulletin
> addressed an issue where an external site could, without your control, fool
> your browser into thinking a remote site was "local intranet".
And this can occur with my examples as well. I didn't control it at
all.
> In your
> examples, the user must choose specific settings to allow the problem to
> occur. If you are concerned about the problem, simply remove .com, etc.
> from your DNS suffix search, and don't put nasty hosts in your hosts file.
Just because I added a DNS suffix search order and put hosts into my
hosts file does not (or, at least, SHOULD not) mean that I am choosing
"specific settings to allow the problem to occur". How was I supposed
to know that simplifying my life by adding a search suffix of ".com" was
opening me up to a vulnerability?
> In the end, this is not a "bug" in the browser - it's a configuration
> problem. While worthy of mention, it does not deserve flamage.
No, this is a bug in the browser. Changing something over at point A
shouldn't affect my security at point B.
-jim
