- Recommend:
Malformed Dotless IP Address Security Patch
- Downloads Count: 6,766
- License Type: Free
- Price: Free
- Date Added: Oct 30, 2002
- Operating Systems: Microsoft Windows NT 4.0, Microsoft Windows 2000, Microsoft Windows 98, Microsoft Windows ME, Microsoft Windows 98, Microsoft Windows ME, Microsoft Windows XP
- Author: Microsoft
Description of Malformed Dotless IP Address Security Patch
This patch eliminates three bugs affecting Internet Explorer. One deals with dotless IP addresses (for example, http://031713501415 rather than http://207.46.131.13). Through this bug, your browser would not recognize the page as an Internet page, but as an Intranet page, and the page would run with fewer security restrictions as a result.
The second bug the app fixes involves how IE handles URLs that specify third-party sites. By encoding an URL in a particular way, it would be possible for an attacker to include HTTP requests that would be sent to the site as soon as a connection had been established. These requests would appear to have originated from the user. If exploited against a Web-based service (for example, a Web-based mail service), it could be possible for the attacker to take action on the user's behalf, including sending a request to delete data.
The third bug fixed is a new variant of a former vulnerability discussed in Microsoft Security Bulletin MS01-015, affecting how Telnet sessions are invoked via IE. By design, telnet sessions can be launched via IE. However, a vulnerability exists because when doing so, IE will start Telnet using any command-line options the Web site specifies. This only becomes a concern when using the version of the Telnet client that installs as part of Services for Unix (SFU) 2.0 on Windows NT 4.0 or Windows 2000 machines.
The version of the Telnet client in SFU 2.0 provides an option for creating a verbatim transcript of a Telnet session. An attacker could start a session using the logging option, then stream an executable file onto the user's system in a location that would cause it to be executed automatically the next time the user booted the machine. The flaw does not lie in the Telnet client, but in IE, which should not allow Telnet to be started remotely with command-line arguments.
Sponsored
-
Get bug fixes and recently added features for IE.
-
Close up a security breach in IE 5 with this patch.
-
Update to the Winsock Sockets 2 DLL for Windows 95.
-
Fix all of the known security bugs in Internet Explorer 5.5 and 6.
-
Correct many of the issues surrounding Office XP with this collection of patches.
-
Correct a bug that keeps upgraders to Office XP from using Small Business Tools 2000 components.
-
Make your IPaq Pocket PC recognize certain modem cards; iron out system bugs as well.
-
Spice up your presentations for the Web with animation and interactivity.
-
Remove banner ads on the Web pages you visit.
-
Explore virtual reality (VRML 2.0) sites on the Web with this plug-in.
-
IdeaPad U300s If there's a laptop that deserves the moniker "Ultrabook" it's the Lenovo IdeaPad U300s.
Buy now direct from Lenovo -
ThinkPad X220 Fast and light, with great input ergonomics and battery life, this powerhouse ultraportable is best-of-breed.
Buy now direct from Lenovo -
ThinkPad T420 Just about every IT person we know swears by the T series--for their clients and themselves.
Buy now direct from Lenovo
Ad Choices