Netscape Bug :)))
-----BEGIN PGP SIGNED MESSAGE----- Just over the wire: Seems that there is a bug in Netscape including the new Communicator that will allow a web site to read *ANY* file on your computer. I repeate *ANY*, yes Virginia, *ANY* file on your computer. WebEx user and loving it. :))))) - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBM6DAn49Co1n+aLhhAQFdVwP+LQHkDPYPdqKDQyTxuYW23NgEHGotNyqB KJxk7uf93aGrbY6Zi+6+Y8JZeb7ce9usORYP6YWzRx1K/LhkEHn5un0aIRUlbHed rIxvt1S28bwuiXGrPOWNKTNXfEGb1x/YyBNshooclY1bz1YS1ZRk8t/vBl/aeTZy oWTpxeG/xjU= =Asb/ -----END PGP SIGNATURE-----
William H. Geiger III wrote:
Seems that there is a bug in Netscape including the new Communicator that will allow a web site to read *ANY* file on your computer. I repeate *ANY*, yes Virginia, *ANY* file on your computer.
WebEx user and loving it. :)))))
Do you know if the bug affects Unix versions? How about linux? And what is the exploit? - Igor.
-----BEGIN PGP SIGNED MESSAGE----- In <199706130347.WAA08219@manifold.algebra.com>, on 06/12/97 at 10:47 PM, ichudov@Algebra.COM (Igor Chudov @ home) said:
William H. Geiger III wrote:
Seems that there is a bug in Netscape including the new Communicator that will allow a web site to read *ANY* file on your computer. I repeate *ANY*, yes Virginia, *ANY* file on your computer.
WebEx user and loving it. :)))))
Do you know if the bug affects Unix versions? How about linux?
And what is the exploit?
They didn't go into details but they did say in the report that it was a bug in the "core" of the Netscape code so I would imagine that it is cross platform. Unfortunatly they did give details on how to use this bug. This seems to be a bug that has been out for awhile as it is not just the new Communicator but older versions of NS also. Perhaps time to generate a new PGP key pair? :( - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBM6DFQ49Co1n+aLhhAQF8WAQAu5mdShPAlsCQUSQjb2tMtMwQD/o7KFhy hxZB2mv3dMZmdNzZxpspQslO3V11teL3aeN9lE+5NIHJtV3mO6Zhq8ScOo6nQb6L 1EC47wroVGB3H7FeIf8Ol6xfzu1fZf6KawvIrPu83rbte8RQ50KE+Q09CB8wMS69 U06XJWyktLc= =QEUX -----END PGP SIGNATURE-----
William H. Geiger III wrote:
at 10:47 PM, ichudov@Algebra.COM (Ignoramus Chewed-Off) said:
William H. Geiger III wrote:
Seems that there is a bug in Netscape including the new Communicator that Do you know if the bug affects Unix versions? How about linux? And what is the exploit?
They didn't go into details but they did say in the report that it was a bug in the "core" of the Netscape code so I would imagine that it is cross platform.
Unfortunatly they did give details on how to use this bug.
This seems to be a bug that has been out for awhile as it is not just the new Communicator but older versions of NS also.
Perhaps time to generate a new PGP key pair? :(
You mean, your passphrase is empty? - Igor.
-----BEGIN PGP SIGNED MESSAGE----- In <199706130357.WAA08338@manifold.algebra.com>, on 06/12/97 at 10:57 PM, ichudov@Algebra.COM (Igor Chudov @ home) said:
William H. Geiger III wrote:
at 10:47 PM, ichudov@Algebra.COM (Ignoramus Chewed-Off) said:
William H. Geiger III wrote:
Seems that there is a bug in Netscape including the new Communicator that Do you know if the bug affects Unix versions? How about linux? And what is the exploit?
They didn't go into details but they did say in the report that it was a bug in the "core" of the Netscape code so I would imagine that it is cross platform.
Unfortunatly they did give details on how to use this bug.
This seems to be a bug that has been out for awhile as it is not just the new Communicator but older versions of NS also.
Perhaps time to generate a new PGP key pair? :(
You mean, your passphrase is empty?
No I feel quite secure in my choice of passphrases. I don't use NS so I am not concerned about it. If for some reason I thought that a 3rd party had aquired my secring.pgp file I would generate a new key (I'm paranoid but that doesn't mean that "they" aren't out to get me <g>). - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBM6DTgo9Co1n+aLhhAQEwZwP/Tr8gp9rfW8AKfQHCxwF2EyIkyAxdJc1k RLAGWG/B3Sr4Xw8V8gfMw5rxh12gX6In1Xwj0XmlD0VVA7wkSS8Ai//zVoCTzIQU MEeJQ/wLsJlxjNYwU32J+li4DIUCGqWvf+2vUHhasF8ANLK+f9Rh9/+76Wqkawmp I0195q/QZAk= =aeNE -----END PGP SIGNATURE-----
At 10:47 PM 6/12/97 -0500, Igor Chudov wrote:
William H. Geiger III wrote:
Seems that there is a bug in Netscape including the new Communicator that will allow a web site to read *ANY* file on your computer. I repeate *ANY*, yes Virginia, *ANY* file on your computer.
WebEx user and loving it. :)))))
Do you know if the bug affects Unix versions? How about linux?
And what is the exploit?
------------------------------------------------ Danish software firm finds flaw that could let sites see data stored on PCs From Correspondent Steve Young June 12, 1997: 6:58 p.m. ET NEW YORK (CNNfn) - A serious new flaw that affects all versions of Netscape Communications Corp.'s popular Navigator Internet browser software -- including the final test version of its Communicator Suite released Wednesday -- has been uncovered by a Danish software firm, CNNfn has learned. The bug was reported by Cabocomm, a software company located about 100 miles west of Copenhagen, Denmark. The bug makes it possible for Web-site operators to read anything stored on the hard drive of a PC logged on to the Web site. After the firm reported the bug to CNN Financial News, CNNfn and PC Magazine tested the bug by creating and storing a document on a PC's hard drive in New York. Seconds later, the Danish company read it. As further proof, CNNfn and PC Magazine created another document which the Danish company was also able to read. Larry Seltzer, technical director of PC Labs, was among those who helped verify the bug report. He said it would take a somewhat savvy computer user to exploit the bug. "They have to be seeking information from your system and they also have to know the file name. It's not that hard for somebody who's looking to make trouble, but they do have to be looking for it," Seltzer said. "It's serious in that it's in the [actual] browser ...whereas previous bugs generally required the user to have downloaded an additional product," Jim Wise, UNIX administrator for CNNfn, said. CNNfn's test showed that Internet security firewalls offer no protection from the bug. Mike Homer, vice president of marketing for Netscape, said the company takes this and all bug reports seriously. The Danish company says the reward of $1,000 and a T-shirt is "insultingly low" considering the extent to which the bug report is likely to worry Netscape users. Cabocomm said it would accept "reasonable compensation" for the technical information -- or they can send a Netscape representative to Cabocomm and get it for free. CNNfn, PC Magazine and the Danish company will not release technical details on the bug until Netscape has prepared a bug fix. The reason CNNfn is not reporting the specifics of the bug is to avoid anyone exploiting it. Until the bug is fixed, confidential letters, business spreadsheets -- everything on your PC -- can potentially be pilfered. The Danish company says it won't exploit the bug, but has no idea if someone else has found the same bug and is compromising a system's integrity. ********************************************************* Lynne L. Harrison, Esq. | "The key to life: Poughkeepsie, New York | - Get up; lharrison@mhv.net | - Survive; http://www.dueprocess.com | - Go to bed." ************************************************************ DISCLAIMER: I am not your attorney; you are not my client. Accordingly, the above is *NOT* legal advice.
The bug was reported by Cabocomm, a software company located about 100 miles west of Copenhagen, Denmark. The bug makes it possible for Web-site operators to read anything stored on the hard drive of a PC logged on to the Web site.
Do you have information if by PC here they mean the abreviated IBM-PC form (ie. something running a Micro$oft OS) or the generic media meaning (ie. any micro)... Ie. is the linux version affected? Datacomms Technologies data security Paul Bradley, Paul@fatmans.demon.co.uk Paul@crypto.uk.eu.org, Paul@cryptography.uk.eu.org Http://www.cryptography.home.ml.org/ Email for PGP public key, ID: FC76DA85 "Don`t forget to mount a scratch monkey"
William H. Geiger III wrote:
Seems that there is a bug in Netscape including the new Communicator that will allow a web site to read *ANY* file on your computer. I repeate *ANY*, yes Virginia, *ANY* file on your computer.
And what is the exploit?
According to an uninformitive, but extensive, report on CNN, the firm is being very closed-mouth about the bug, and expects to be richly rewarded "The $1000 bug reward was an insult." They will, however, *give* the information to Netscape if they appear in person at the company offices in Aarhus. You might want to look at PC Lab's web site (or PC Magazine, I don't remember which). All of the examples appeared to use Windows, and the words "Active X" and "Java" were not used. Martin Minow
participants (5)
-
ichudov@Algebra.COM -
Lynne L. Harrison -
Martin Minow -
Paul Bradley -
William H. Geiger III