- Recommend:
Malformed Dotless IP Address Security Patch
- Downloads Count: 6,766
- License Type: Free
- Price: Free
- Date Added: Oct 30, 2002
- Operating Systems: Microsoft Windows NT 4.0, Microsoft Windows 2000, Microsoft Windows 98, Microsoft Windows ME, Microsoft Windows 98, Microsoft Windows ME, Microsoft Windows XP
- Author: Microsoft
Description of Malformed Dotless IP Address Security Patch
This patch eliminates three bugs affecting Internet Explorer. One deals with dotless IP addresses (for example, http://031713501415 rather than http://207.46.131.13). Through this bug, your browser would not recognize the page as an Internet page, but as an Intranet page, and the page would run with fewer security restrictions as a result.
The second bug the app fixes involves how IE handles URLs that specify third-party sites. By encoding an URL in a particular way, it would be possible for an attacker to include HTTP requests that would be sent to the site as soon as a connection had been established. These requests would appear to have originated from the user. If exploited against a Web-based service (for example, a Web-based mail service), it could be possible for the attacker to take action on the user's behalf, including sending a request to delete data.
The third bug fixed is a new variant of a former vulnerability discussed in Microsoft Security Bulletin MS01-015, affecting how Telnet sessions are invoked via IE. By design, telnet sessions can be launched via IE. However, a vulnerability exists because when doing so, IE will start Telnet using any command-line options the Web site specifies. This only becomes a concern when using the version of the Telnet client that installs as part of Services for Unix (SFU) 2.0 on Windows NT 4.0 or Windows 2000 machines.
The version of the Telnet client in SFU 2.0 provides an option for creating a verbatim transcript of a Telnet session. An attacker could start a session using the logging option, then stream an executable file onto the user's system in a location that would cause it to be executed automatically the next time the user booted the machine. The flaw does not lie in the Telnet client, but in IE, which should not allow Telnet to be started remotely with command-line arguments.
Sponsored
-
Fix bugs that affect the security of your Internet connection when you use IE 5.x or 6.x.
-
Ensure that all AOL images are showing with this Windows 2000 patch.
-
Put a search engine and a powerful bookmark utility in your browser's title bar.
-
Eliminate two ActiveX bugs that leave your computer vulnerable.
-
Enhance Internet searches via Internet Explorer directly from the address bar.
-
Remove banner ads on the Web pages you visit.
-
Surf anonymously with the click of a button in your IE toolbar.
-
Stop hackers from executing code on your PC.
-
Update security and correct buffer overruns in Explorer 4.0.
-
Install this patch to fix a security hole in IE4.
-
IdeaPad U300s If there's a laptop that deserves the moniker "Ultrabook" it's the Lenovo IdeaPad U300s.
Buy now direct from Lenovo -
ThinkPad X220 Fast and light, with great input ergonomics and battery life, this powerhouse ultraportable is best-of-breed.
Buy now direct from Lenovo -
ThinkPad T420 Just about every IT person we know swears by the T series--for their clients and themselves.
Buy now direct from Lenovo
Ad Choices