Unrated severityNVD Advisory· Published Dec 31, 1999· Updated Apr 16, 2026

CVE-1999-1087

Description

Internet Explorer 4 treats a 32-bit number ("dotless IP address") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server.

Affected products

Microsoft/Internet Explorer3 versions
cpe:2.3:a:microsoft:internet_explorer:4.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:microsoft:internet_explorer:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:4.0.1:sp1:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.microsoft.com/support/kb/articles/q168/6/17.aspnvdPatchVendor Advisory
www.microsoft.com/Windows/Ie/security/dotless.aspnvd
www.osvdb.org/7828nvd
docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-016nvd
exchange.xforce.ibmcloud.com/vulnerabilities/2209nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.009
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000