IE 4 security bug latest

Yet another way for Web sites to sneak dodgy content onto your system

Microsoft Internet Explorer 4's method of parsing IP addresses could allow unscrupulous Webmasters to run code on users' machines, it has emerged. The security hole centres on the way IE distinguishes between two alternative ways of formatting IP addresses. If the browser encounters an address in the commonly-used form of four numbers separated by dots, such as 1.2.3.4, it treats the address as a Web site. However, IP addresses can also be represented by a single value derived by expressing the four-number address as a power series of 256, ie. (1 x 256 x 256 x 256)+(2 x 256 x 256)+(3 x 256)+4. IE assumes such single-value IP addresses locate intranet-based sites. If the user has applied less stringent security checks to intranet-sourced content, as well they might, a malicious Web site administrator could use the hole to run active content on the user's computer without first obtaining the user's permission to download and run it. The glitch was discovered by Danish Webmaster Sune Hansen. Microsoft has since admitted the presence of the hole and, according to Windows platform product manager Mike Nichols, a patch is being prepared. ® Click for more stories

Sponsored: How to determine if cloud backup is right for your servers