October 20, 1998 New Internet Explorer Security Hole Discovered in Denmark
POSTERS ON a Danish newsgroup have discovered a new security hole in Microsoft Internet Explorer.
Microsoft has confirmed the potential security breach, dubbed the "Look Ma, No Dots" bug.
"The bug makes it possible to circumvent the higher security levels that can be set in Internet Explorer for Internet sites (as opposed to
intranet sites) by a simple calculation based on the site's IP address," according to Jakob Paikin, one of the bug's Danish discoverers.
While Internet addresses are normally expressed their DNS form of recognizable words (e.g., www.bugnet.com), every named URL address on the Web can be translated to a numerical IP addresses. Normally IP
addresses are displayed as four numbers separated by dots (e.g., 207.158.205.117).
A site can be accessed by either the name or the IP address. So for example both bugnet.com and 207.158.205.117 display the main BugNet free page.
But every IP address can also be recalculated to a single number. Here's how. Multiply the first part by 2563, multiply the second by 2562, multiply the third by 256, multiply the fourth by 1 -- and now add all the values together.
Recalculating the address for BugNet in this manner yields 3483290997. And in fact, clicking http://3483290997 will take you to the same BugNet page (unless you're using a proxy server, in which case you'll get a "page not found" error). Try it.
THE PROBLEM for Internet Explorer 4 comes from the fact that Microsoft's browser assumes that any address not containing dots is an intranet address, and applies security accordingly.
"Since intranet security is often set lower than for Internet sites the user may -- unknowingly -- allow an Internet site to operate at an intranet security level," according to Paikin.
The bug poses a problem in the following scenario:
1.The user has set a lower security level for the intranet Security Zone.
2.The user accesses a website that contains a "malicious" ActiveX component or Java applet).
3.The malicious website is accessed via a link that uses the compressed format like http://3483290997.
It is worth noting that the user would have to modify IE4's default intranet Security Zone settings to be affected. Also, many corporate users with access to both the Internet and an intranet are served by proxy servers, which would block the hole, according to Bob Minor of CyberMill in St. Louis.
A Microsoft spokesman in Denmark told PC World Denmark that "our developers are currently working to address this issue. In the meantime, users can protect themselves by returning their intranet zone to the default settings, and if prompted to download content from the Internet, it is important for users to use safe computing practices."
The problem apparently affects only Internet Explorer 4 for Windows. Netscape and Internet Explorer on the Mac are not affected.
-- Bruce Brown
www.bugnet.com
|
