• Article

Security Bulletin

Microsoft Security Bulletin MS98-016 - Critical

Update available for 'Dotless IP Address' Issue in Microsoft Internet Explorer 4

Published: October 23, 1998 | Updated: May 16, 2003

Version: 2.0

Originally Posted: October 23, 1998

Updated: May 16, 2003

Summary

Microsoft has released a patch that fixes a vulnerability with how Internet Explorer 4 determines what security zone a target server is in. By using this vulnerability, a malicious hacker could misrepresent the URL of their website, causing the site to be treated as it if were located on an intranet by Internet Explorer's Security Zones feature. This cannot happen accidentally, rather a malicious website operator must intentionallymisrepresent the URL of their site by creating malicious code for users to be affected by this issue.

Microsoft highly recommends that users that have affected software installed on their systems should download and install the available patch as soon as possible.

Issue

The "Dotless IP Address" issue involves a vulnerability in Internet Explorer that could allow a malicious hacker to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious web site operator to misrepresent the URL of an Internet web site and make it appear as if the machine is on the user's "Local Intranet Zone". Internet Explorer has the ability to set security settings differently between different zones. By this means, a malicious site could potentially perform actions that had been disabled in the Internet Zone or Restricted Sites Zone, but is permitted in the Local Intranet Zone.

The nature of this vulnerability is that in determining what zone a web site belongs to, Internet Explorer interprets a 32-bit number (i.e. https://031713501415) as an all numeric host name, while the IP stack resolves this address to its equivalent dotted IP format (i.e. 207.46.131.13). Internet Explorer incorrectly considers this machine to be on the Local Intranet Zone, rather than in the Internet Zone, and could incorrectly apply security settings to the web server.

Note The default configuration for both the Internet Zone and the Local Intranet Zone is "Medium Security". However, there is one difference between these defaults: the Local Intranet Zone enables the automatic use of NTLM challenge response authentication with local intranet machines, while this option is disabled by default when talking with servers in the Internet Zone. (see the "Administrative Workaround" section below for more details on changing these defaults.)

While there have not been any reports of customers being adversely affected by these problems, Microsoft is releasing a patch to address any risks posed by this issue.

Affected Software Versions

  • Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 on Windows NT 4.0, Windows 95
  • Microsoft Windows 98, with integrated Internet Explorer
  • Microsoft Internet Explorer 4.0 and 4.01 for Windows 3.1 and Windows NT 3.51
  • Microsoft Internet Explorer 4.01 for UNIX

Vulnerability Identifier: CVE-1999-1087

This vulnerability does not affect Internet Explorer 3.

This vulnerability does not affect Internet Explorer 4 for the Macintosh.

What Microsoft is Doing

On October 23rd Microsoft released a patch that fixes the problem identified. This patch is available for download from the sites listed below.

Microsoft has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See The Microsoft Product Security Notification Service for more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this issue:

  • Microsoft Knowledge Base (KB) article 168617, Update Available for Dotless IP Address Security Issue https:

    (Note    It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.)

What customers should do

Microsoft highly recommends that users who have affected software installed on their systems should download and install the available patch as soon as possible. Complete URLs for each affected software version is given below.

Windows 98

Windows 98 customers can obtain the patch using Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click "Product Updates." When prompted, select 'Yes' to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the "Critical Updates" section of the page.

Internet Explorer 4

Customers using Internet Explorer 4 can obtain patch information for specific platforms from the Internet Explorer Security web site, </https:>https:

More Information

Please see the following references for more information related to this issue.

  • Microsoft Knowledge Base (KB) article 168617, Update Available for Dotless IP Address Security Issue </https:>https:

    (Note    It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.)

Administrative Workaround

If you are unable to apply the patch, you can reduce your risk of being affected by this problem by adjusting your Intranet Zone settings to be the same as those used by the Internet Zone. To do this, perform the following steps:

  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Internet, and then click the Security tab.
  3. In the Zone box, click local Intranet Zone.
  4. Modify the local Intranet Zone security level or custom settings to match those in the Internet Zone.
  5. Click OK to close the Internet Properties sheet.

Note    The default configuration for both the Internet Zone and the Local Intranet Zone is "Medium Security". However, there is one difference between these defaults: the local Intranet Zone enables the automatic use of NTLM challenge response authentication with local Intranet machines, while this option is disabled by default when connecting to servers in the Internet Zone. If you need to change this setting, perform the following steps:

  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Internet, and then click the Security tab.
  3. In the Zone box, click local Intranet Zone.
  4. Select the level of security that you wish to use under User Identification | Logon.
  5. Click OK to close the Security Settings dialog, then click OK to close the Internet Properties sheet.

Obtaining Support on this Issue

This is a supported patch for Internet Explorer. If you have problems installing this patch or require technical assistance with this patch, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see </https:>https:

Acknowledgments

Microsoft was first notified of this issue by PC World in Denmark. This problem was originally discovered by Sune Bülow Hansen.

Revisions

  • October 23, 1998: Bulletin Created
  • V2.0 (May 16, 2003): Introduced versioning and updated patch availability information.

For additional security-related information about Microsoft products, please visit https://www.microsoft.com/technet/security

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Built at 2014-04-18T13:49:36Z-07:00 </https:>