Help and Support

Update Available for Dotless IP Address Security Issue

View products that this article applies to.
Article ID:168617
Last Review:August 15, 2007
Revision:3.4
This article was previously published under Q168617
On This Page

SUMMARY

Microsoft has released an update that addresses a potential security issue involving the implementation of Security Zones in Internet Explorer. Additional information about this issue is available from the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms98-016.mspx (http://www.microsoft.com/technet/security/bulletin/ms98-016.mspx)
Updates are available for the following products:

Microsoft Internet Explorer 4.01 for Windows 95
Microsoft Internet Explorer 4.01 for Windows NT 4.0 (Alpha and x86)
Microsoft Windows 98
Microsoft Internet Explorer 4.01 for Windows 3.1
Microsoft Internet Explorer 4.01 for Windows NT 3.51


This issue may enable a malicious Web site administrator to misrepresent the Web address (URL) of an Internet Web site, enabling the site to be treated by Internet Explorer's Security Zones feature as if it was located on a local Intranet.

By default, the settings for the local Intranet zone are similar to those for the Internet zone with regard to downloading executable code, (including ActiveX controls and plug-ins) in that you are prompted to confirm the download process before it begins. However, you may be at risk if you have altered your local Intranet zone settings to enable automatic downloading of executable content. Microsoft has not received any reports of adverse effects due to this issue.

Back to the top

MORE INFORMATION

NOTE: After you apply this update, computers on your local Intranet with completely numeric computer names are treated as if they are in the Internet zone. Note that Microsoft does not recommend using all numeric computer names as it can cause some utilities to misinterpret the names as IP addresses. This is documented in the following article in the Microsoft Knowledge Base: 

   ARTICLE-ID: <WWLINK TYPE="ARTICLE" VALUE="Q190294">Q190294</WWLINK>
				
   TITLE     : Use of all Numeric NetBIOS Names Can Cause Problems


To work around this issue if you must use an all numeric computer name, add the computer's IP address to Internet Explorer's Proxy Server exceptions list. To do this, use the appropriate method:

NOTE: Perform the following steps only on computers that use a static IP address.

Back to the top

Microsoft Windows 95/98 or Microsoft Windows NT 4.0 or Later



1.Click Start, click Run, type "ping <all numeric computer name>" where <all numeric computer name> is the computer's all numeric computer name, and then click OK.
2.Note the computer's IP address, type "exit" (without quotation marks), and then press ENTER.
3.Click Start, point to Settings, click Control Panel, and then double-click Internet
4.Click the Connections tab, and then click Advanced under Proxy Server.
5.In the Exceptions box, enter the IP address that you noted in step 2, click OK, and then click OK.

Back to the top

Microsoft Windows 3.1x or Microsoft Windows NT 3.51



1.In Program Manager, click Run on the File menu.
2.In Windows NT 3.51, type "cmd" (without quotation marks), and then click OK. In Microsoft Windows 3.1x, type "command" (without quotation marks), and then click OK.
3.At the command prompt, type "ping <all numeric computer name>" where <all numeric computer name> is the computer's all numeric computer name, and then press ENTER.
4.Note the computer's IP address, type "exit" (without quotation marks), and then press ENTER.
5.In Internet Explorer, click Internet Options on the View menu, and then click the Connection tab.
6.Click Advanced, and then in the "Do not use proxy server for addresses beginning with:" box, type the IP address you noted in step 4, click OK, and then click OK.
Update Information by Product:

NOTE: If you are using Internet Explorer 4.0, you must install Internet Explorer 4.01 in order to apply this update. You can install Internet Explorer 4.01 with Service Pack 1 from the following Microsoft Web site: 

   <WWLINK TYPE="GENERIC" VALUE="http://www.microsoft.com/windows/ie/downloads/default.mspx">http://www.microsoft.com/windows/ie/downloads/default.mspx</WWLINK>


Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows 95: 

   File Name            Size           Date       Version
   -------------------------------------------------------------
   Urlmon.dll           517360         10/21/98   4.72.3510.2000


Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 (x86): 

   File Name            Size           Date       Version
   -------------------------------------------------------------
   Urlmon.dll           517360         10/21/98   4.72.3510.2000


Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 (Alpha): 

   File Name            Size           Date       Version
   -------------------------------------------------------------
   Urlmon.dll           828688         10/21/98   4.72.3510.2000


Windows 98: 

   File Name            Size           Date       Version
   -------------------------------------------------------------
   Urlmon.dll           517360         10/21/98   4.72.3510.2000


Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51: 

   File Name            Size           Date       Version
   ------------------------------------------------------------
   Urlmon16.dll         351968         10/21/98   4.1.2510.2100


Back to the top

Reducing Your Risk If You Cannot Apply the Patch



If you are unable to apply the patch, you can reduce your risk of being affected by this problem by adjusting your Intranet Zone settings to be the same as those used by the Internet Zone. To do this, perform the following steps:

1.Click Start, point to Settings, and then click Control Panel.
2.Double-click Internet, and then click the Security tab.
3.In the Zone box, click local Intranet Zone.
4.Modify the local Intranet Zone security level or custom settings to match those in the Internet Zone.
5.Click OK to close the Internet Properties sheet.
Note: The default configuration for both the Internet Zone and the local Intranet zone is "Medium Security". However, there is one difference between these defaults: the local Intranet Zone enables the automatic use of NTLM challenge response authentication with local Intranet machines, while this option is disabled by default when connecting to servers in the Internet Zone. If you need to change this setting, perform the following steps:

1.Click Start, point to Settings, and then click Control Panel.
2.Double-click Internet, and then click the Security tab.
3.In the Zone box, click local Intranet Zone.
4.Select the level of security that you wish to use under User Identification | Logon.
5.Click OK to close the Security Settings dialog, then click OK to close the Internet Properties sheet.

Back to the top

APPLIES TO
Microsoft Internet Explorer 4.01 128-Bit Edition
Microsoft Internet Explorer 4.0 128-Bit Edition
Microsoft Internet Explorer 4.0 for UNIX
Microsoft Internet Explorer 4.01
Microsoft Windows 98 Standard Edition
Microsoft Internet Explorer 1.0
Microsoft Internet Explorer 2.0
Microsoft Internet Explorer 3.0
Microsoft Internet Explorer 3.01
Microsoft Internet Explorer 3.02
Microsoft Internet Explorer 5.0
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 3.2

Back to the top

Keywords: 
kbinfo KB168617

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Contact Microsoft
    Phone Numbers, Support Options and Pricing, Online Help, and more.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.