I just checked in IE6 and it looks like the "medium" security level is the default setting for the Intranet zone. This is the same default as the Internet zone. Seems to me that if IE4 and IE5 have the same default, then this bug is not going to affect very many people. I suspect that most folks don't change the settings on the Intranet zone. An interesting discovery nevertheless. Richard -----Original Message----- From: kikkert security [mailto:unhackables@hotmail.com] Sent: Thursday, October 11, 2001 5:38 AM To: bugtraq@securityfocus.com; FOCUS-MS@SECURITYFOCUS.COM Subject: Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing ------ Risk: POTENTIALLY HIGH. Potentially allowing any possible action on the client machine, including reading any file, placing Trojan code or altering data. The risk depends on the security settings in the 'Intranet zone'.
