Quantcast
Subscribe to magazine
 

Malformed Dotless IP Address Security Patch

Downloads Count: 3,333

License Type: Free

Price: Free

Date Added: Oct 30, 2002

Operating Systems: Windows XP, Windows NT, Windows 2000, Windows 9.x, Windows Me

Author: Microsoft

Recommend
this download?

 
Description of Malformed Dotless IP Address Security Patch

This patch eliminates three bugs affecting Internet Explorer. One deals with dotless IP addresses (for example, http://031713501415 rather than http://207.46.131.13). Through this bug, your browser would not recognize the page as an Internet page, but as an Intranet page, and the page would run with fewer security restrictions as a result.

The second bug the app fixes involves how IE handles URLs that specify third-party sites. By encoding an URL in a particular way, it would be possible for an attacker to include HTTP requests that would be sent to the site as soon as a connection had been established. These requests would appear to have originated from the user. If exploited against a Web-based service (for example, a Web-based mail service), it could be possible for the attacker to take action on the user's behalf, including sending a request to delete data.

The third bug fixed is a new variant of a former vulnerability discussed in Microsoft Security Bulletin MS01-015, affecting how Telnet sessions are invoked via IE. By design, telnet sessions can be launched via IE. However, a vulnerability exists because when doing so, IE will start Telnet using any command-line options the Web site specifies. This only becomes a concern when using the version of the Telnet client that installs as part of Services for Unix (SFU) 2.0 on Windows NT 4.0 or Windows 2000 machines.

The version of the Telnet client in SFU 2.0 provides an option for creating a verbatim transcript of a Telnet session. An attacker could start a session using the logging option, then stream an executable file onto the user's system in a location that would cause it to be executed automatically the next time the user booted the machine. The flaw does not lie in the Telnet client, but in IE, which should not allow Telnet to be started remotely with command-line arguments.

People who downloaded this also downloaded:
Sponsored Links
 
You are browsing Internet

Featured APC Accessories

  • APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
  • APC Smart-UPS Loaded with cutting-edge features, unique battery life predictor, unbeatable on-line efficiencies and software agents allowing remote UPS monitoring. Get 10% off your entire kart purchase!
Downloads FAQ

If you have questions about finding, downloading, or opening files in our library, you'll probably find the answers here.

Visit the Downloads FAQ »

Special Offer
special offer

Trend Micro AntiVirus plus AntiSpyware 2008

Trend Micro AntiVirus plus AntiSpyware installs quickly and then works quietly in the background. Its unobtrusive monitoring system, prescheduled security scans and automatic downloads of the latest updates take care of security, allowing you to concentrate on the things you really want to do with your computer."/>

More Information