Microsoft KB Archive/168617

= Update Available for Dotless IP Address Security Issue =

Article ID: 168617

Article Last Modified on 8/15/2007

-

APPLIES TO


 * Microsoft Internet Explorer 4.01 128-Bit Edition
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 4.01 128-Bit Edition
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 4.0 for UNIX
 * Microsoft Internet Explorer 4.01
 * Microsoft Windows 98 Standard Edition
 * Microsoft Internet Explorer 1.0
 * Microsoft Internet Explorer 2.0
 * Microsoft Internet Explorer 3.0
 * Microsoft Internet Explorer 3.01
 * Microsoft Internet Explorer 3.02
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 4.01 128-Bit Edition
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 3.2
 * Microsoft Internet Explorer 4.0 128-Bit Edition

-



This article was previously published under Q168617



SUMMARY
Microsoft has released an update that addresses a potential security issue involving the implementation of Security Zones in Internet Explorer. Additional information about this issue is available from the following Microsoft Web site:


 * http://www.microsoft.com/technet/security/bulletin/ms98-016.mspx

Updates are available for the following products:


 * Microsoft Internet Explorer 4.01 for Windows 95
 * Microsoft Internet Explorer 4.01 for Windows NT 4.0 (Alpha and x86)
 * Microsoft Windows 98
 * Microsoft Internet Explorer 4.01 for Windows 3.1
 * Microsoft Internet Explorer 4.01 for Windows NT 3.51

This issue may enable a malicious Web site administrator to misrepresent the Web address (URL) of an Internet Web site, enabling the site to be treated by Internet Explorer's Security Zones feature as if it was located on a local Intranet.

By default, the settings for the local Intranet zone are similar to those for the Internet zone with regard to downloading executable code, (including ActiveX controls and plug-ins) in that you are prompted to confirm the download process before it begins. However, you may be at risk if you have altered your local Intranet zone settings to enable automatic downloading of executable content. Microsoft has not received any reports of adverse effects due to this issue.



MORE INFORMATION
NOTE: After you apply this update, computers on your local Intranet with completely numeric computer names are treated as if they are in the Internet zone. Note that Microsoft does not recommend using all numeric computer names as it can cause some utilities to misinterpret the names as IP addresses. This is documented in the following article in the Microsoft Knowledge Base:

  ARTICLE-ID: Q190294   TITLE     : Use of all Numeric NetBIOS Names Can Cause Problems

To work around this issue if you must use an all numeric computer name, add the computer's IP address to Internet Explorer's Proxy Server exceptions list. To do this, use the appropriate method:

NOTE: Perform the following steps only on computers that use a static IP address.

Microsoft Windows 95/98 or Microsoft Windows NT 4.0 or Later

 * 1) Click Start, click Run, type "ping " where  is the computer's all numeric computer name, and then click OK.
 * 2) Note the computer's IP address, type "exit" (without quotation marks), and then press ENTER.
 * 3) Click Start, point to Settings, click Control Panel, and then double-click Internet
 * 4) Click the Connections tab, and then click Advanced under Proxy Server.
 * 5) In the Exceptions box, enter the IP address that you noted in step 2, click OK, and then click OK.

Microsoft Windows 3.1x or Microsoft Windows NT 3.51

 * 1) In Program Manager, click Run on the File menu.
 * 2) In Windows NT 3.51, type "cmd" (without quotation marks), and then click OK. In Microsoft Windows 3.1x, type "command" (without quotation marks), and then click OK.
 * 3) At the command prompt, type "ping " where  is the computer's all numeric computer name, and then press ENTER.
 * 4) Note the computer's IP address, type "exit" (without quotation marks), and then press ENTER.
 * 5) In Internet Explorer, click Internet Options on the View menu, and then click the Connection tab.
 * 6) Click Advanced, and then in the "Do not use proxy server for addresses beginning with:" box, type the IP address you noted in step 4, click OK, and then click OK.

Update Information by Product:

NOTE: If you are using Internet Explorer 4.0, you must install Internet Explorer 4.01 in order to apply this update. You can install Internet Explorer 4.01 with Service Pack 1 from the following Microsoft Web site:

  http://www.microsoft.com/windows/ie/downloads/default.mspx

Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows 95:

  File Name            Size           Date       Version -  Urlmon.dll           517360         10/21/98   4.72.3510.2000

Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 (x86):

  File Name            Size           Date       Version -  Urlmon.dll           517360         10/21/98   4.72.3510.2000

Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 (Alpha):

<pre class="fixed_text">  File Name            Size           Date       Version -  Urlmon.dll           828688         10/21/98   4.72.3510.2000

Windows 98:

<pre class="fixed_text">  File Name            Size           Date       Version -  Urlmon.dll           517360         10/21/98   4.72.3510.2000

Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51:

<pre class="fixed_text">  File Name            Size           Date       Version Urlmon16.dll        351968         10/21/98   4.1.2510.2100

Reducing Your Risk If You Cannot Apply the Patch
If you are unable to apply the patch, you can reduce your risk of being affected by this problem by adjusting your Intranet Zone settings to be the same as those used by the Internet Zone. To do this, perform the following steps:


 * 1) Click Start, point to Settings, and then click Control Panel.
 * 2) Double-click Internet, and then click the Security tab.
 * 3) In the Zone box, click local Intranet Zone.
 * 4) Modify the local Intranet Zone security level or custom settings to match those in the Internet Zone.
 * 5) Click OK to close the Internet Properties sheet.

Note: The default configuration for both the Internet Zone and the local Intranet zone is "Medium Security". However, there is one difference between these defaults: the local Intranet Zone enables the automatic use of NTLM challenge response authentication with local Intranet machines, while this option is disabled by default when connecting to servers in the Internet Zone. If you need to change this setting, perform the following steps:


 * 1) Click Start, point to Settings, and then click Control Panel.
 * 2) Double-click Internet, and then click the Security tab.
 * 3) In the Zone box, click local Intranet Zone.
 * 4) Select the level of security that you wish to use under User Identification | Logon.
 * 5) Click OK to close the Security Settings dialog, then click OK to close the Internet Properties sheet.

Additional query words: 4.00 95 98

Keywords: kbinfo KB168617

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.