Updated:  November 28, 2001

Status

Affected

Vendor Statement

Please see MS01-051 at: http://www.microsoft.com/technet/security/bulletin/ms01-051.asp Systems affected include: Microsoft Internet Explorer versions 5.01 Service Pack 1, 5.5, 5.5 Service Pack 1 for Windows 2000 Microsoft Internet Explorer versions 5.01 Service Pack 1, 5.5, 5.5 Service Pack 1 for Windows 95 Microsoft Internet Explorer versions 5.01 Service Pack 1, 5.5, 5.5 Service Pack 1 for Windows 98 Microsoft Internet Explorer versions 5.01 Service Pack 1, 5.5, 5.5 Service Pack 1 for Windows 98 Second Edition Microsoft Internet Explorer versions 5.01 Service Pack 1, 5.5, 5.5 Service Pack 1 for Windows NT 4.0 Microsoft Internet Explorer version 6 for Windows 2000 Microsoft Internet Explorer version 6 for Windows 98 Microsoft Internet Explorer version 6 for Windows 98 Second Edition Microsoft Internet Explorer version 6 for Windows Millennium Edition Microsoft Internet Explorer version 6 for Windows NT 4.0 Microsoft Internet Explorer version 6 for Windows XP

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. -----BEGIN PGP SIGNED MESSAGE----- Title: Malformed Dotless IP Address Can Cause Web Page to be Handled in Intranet Zone Date: 10 October 2001 Software: Internet Explorer Impact: Three vulnerabilities: - Cause web page to render a web page using inappropriate security settings - Send commands to a third-party web site in the guise of the user - Create a file on the system of a user who visited a web site. Bulletin: MS01-051 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-051.asp. Issue: This patch eliminates three vulnerabilities affecting Internet Explorer. The first involves how IE handles URLs that include dotless IP addresses. If a web site were specified using a dotless IP format (e.g., http://031713501415 rather than http://207.46.131.13), and the request were malformed in a particular way, IE would not recognize that the site was an Internet site. Instead, it would treat the site as an intranet site, and open pages on the site in the Intranet Zone rather than the correct zone. This would allow the site to run with fewer security restrictions than appropriate. This vulnerability does not affect IE 6. The second involves how IE handles URLs that specify third-party sites. By encoding an URL in a particular way, it would be possible for an attacker to include HTTP requests that would be sent to the site as soon as a connection had been established. These requests would appear to have originated from the user. In most cases, this would only allow the attacker to send the user to a site and request a page on it. However, if exploited against a web-based service (e.g., a web-based mail service), it could be possible for the attacker to take action on the user's behalf, including sending a request to delete data. The third is a new variant of a vulnerability discussed in Microsoft Security Bulletin MS01-015, affecting how Telnet sessions are invoked via IE. By design, telnet sessions can be launched via IE. However, a vulnerability exists because when doing so, IE will start Telnet using any command-line options the web site specifies. This only becomes a concern when using the version of the Telnet client that installs as part of Services for Unix (SFU) 2.0 on Windows NT(r) 4.0 or Windows(r) 2000 machines. The version of the Telnet client in SFU 2.0 provides an option for creating a verbatim transcript of a Telnet session. An attacker could start a session using the logging option, then stream an executable file onto the user's system in a location that would cause it to be executed automatically the next time the user booted the machine. The flaw does not lie in the Telnet client, but in IE, which should not allow Telnet to be started remotely with command-line arguments. Mitigating Factors: Zone Spoofing vulnerability: - The default settings in the Intranet Zone differ in only a few ways from those of the Internet Zone. The differences are enumerated in the FAQ, but none would allow destructive action to be taken. HTTP Request Encoding vulnerability: - In order to exploit this vulnerability successfully, the attacker would need to possess significant personal information about the victim, such as what web services the user subscribed to, folder structures, and so forth. - Even if the attacker knew the requisite personal information, factors outside of the attacker's control (such as whether the user was logged onto the service already) could cause the user to see prompts and dialogues that would indicate that an attack was underway. - It is unlikely that the vulnerability could be used to target large populations; it is likely that it could be used only against specific targets. New variant of Telnet Invocation vulnerability: - This vulnerability is only a concern for customers who are using the Telnet client that ships as part of Services for Unix 2.0. No other versions of Telnet contain the command-line feature to create log files, including the versions that ship by default as part of Windows platforms. Patch Availability: - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms01-051.asp for information on obtaining this patch. Acknowledgment: - Michiel Kikkert (security@kikkert.nl) - Joao Gouviea (tharbad@kaotik.org) THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBO8TtC40ZSRQxA/UrAQHy0Af+MZN2lTMZ4+pE0uemyAZQjVKW52+L5LkD nzUEE6pUz5ZSCRNQBxjMUD53FDJYuIuopjp65w/Tc2oAnDbLwq0Zjm9p36egJCbG y8v6ZwSgG1SSMsM0IBsH651TLvUjbnURpE5h3aMFwtjUH2I/LmBxV2dGMlmZ4xuN jvNCyulh6o9ES2bxdKCRGznoE1afrbC8FMtaYqVKLRUuhTfQ997Z9wO4cxBSLeKM owHlkmUpL+bHA+to62F3gL/bIkPoYW2+LTG8GHNewJqsib4TNRW3dI+bFfKNhOap jCAzSVF8AtM7vTf1vAUMA1FRoJr25Obg2P3ZAiunvG9LTKeqM1/jbA== =pdOt -----END PGP SIGNATURE----- You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.