IE bug could compromise security

Microsoft acknowledges a security hole in IE that could let a malicious Web site operator penetrate the browser's security zones.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
2 min read
Microsoft today acknowledged a security hole in its Internet Explorer browser that could let a malicious Web site operator penetrate IE's Internet security zones in some instances.

The hole, brought to Microsoft's attention by Sune Hansen, the Danish Webmaster of WorldWideWait, lets a Web site fool IE 4 into thinking that it has accessed a site within a corporate intranet, rather than one on the public Internet.

If the victim has changed the browser's default settings to lower security within the intranets security zone, then the Web site operator could sneak active content, such as an Active X control, into the visitor's computer and bypass the warnings and request for approval that users who download active content normally see.

The potential exploit would take advantage of the fact that, under the Internet protocol, numeric IP addresses can be represented by a single number rather than by the usual four numbers separated by dots. That single number is derived by multiplying the first IP address number by 256 to the third power, the second number by 256 to the second, and the third number by 256, and then adding the three results to the fourth number.

IE, however, relies on the dots in the IP address that separate the four numbers to determine that it has reached a site on the public Internet. If it encounters an IP address without dots, the browser thinks it has found a site on a local network or corporate intranet.

Microsoft's Mike Nichols, product manager for the Windows platform, noted that exploiting the hole would require a number of steps, and that no customers have reported being attacked through it. But he said that Microsoft took the hole seriously and was working on a patch. In the meantime, he advised IE users to reset the security level for the intranet zone to "medium," which is the default. Users who have not changed the default settings are not at risk, Nichols said.