Jeff Weinstein writes:

Not that I want to divert attention away from netscape(OK, maybe I do :-) ), but does this bug exist in any other common browser?

Good question. Here's one answer, obtained using a minor variation on Ray's URL: ---------------------------------------------- Congratulations, you have found a bug in NCSA Mosaic 2.4 on Sun. If a core file was generated in your directory, please run 'dbx Mosaic' (or 'dbx /path/Mosaic' if the Mosaic executable is not in your current directory) and then type: dbx> where and mail the results, and a description of what you were doing at the time, to mosaic-x@ncsa.uiuc.edu. We thank you for your support. ...exiting NCSA Mosaic now. ---------------------------------------------------- Now, the question is, does Netscape use _the same code_ that was used in Mosaic for this purpose ? -Futplex <futplex@pseudonym.com>

Jeff Weinstein writes:

OK, Perry was right, and it was wrong of me to argue with him based only on the code that I have personally seen. As we have already determined, I have not reviewed every line of code in netscape.

Not that I want to divert attention away from netscape(OK, maybe I do :-) ), but does this bug exist in any other common browser?

Probably in Mosaic, though not necessarily in the same place. Its a case of the same programmers making the same mistakes over and over again. I don't believe the Sun Java stuff would suffer from it, although I fear Java a great deal. Perry

Perry E. Metzger wrote: | I don't believe the Sun Java stuff would suffer from it, although I | fear Java a great deal. I keep hearing this thought. Isn't Win95 with its 'executables in email' much more dangerous than Java, which at least tries to address security? There is the argument that the claims will inspire false confidence in Java's security mechanisms, and thus people will be bitten, but I don't buy it. People don't look to security as a chack item when buying software. And when they do, they're usually not capable of distinguishing between the pap that passes for security through marketing from security by design. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume

On Fri, 22 Sep 1995 dmandl@panix.com wrote:

On Fri, 22 Sep 1995, Adam Shostack wrote:

...

Perry E. Metzger wrote:

| I don't believe the Sun Java stuff would suffer from it, although I | fear Java a great deal.

I keep hearing this thought. Isn't Win95 with its 'executables in email' much more dangerous than Java, which at least tries to address security?

Is that the new MS-Word you're thinking of? I hear that it lets you imbed macros containing executable code in documents. That's got to be one of the most dangerous ideas ever cooked up.

Agreed; but it's present, not just in Word (every version since 2.0, as far as I can tell, in fact, since they all let you make system calls...), but in Microsoft Network, Microsoft Access, Microsoft Excel... I believe PowerPoint and Publisher are exempt from this bug, if only because the current versions have no macro languages... One of the penalties that modern software (at least for Windows) imposes is the ability to create massive viri, simply by allowing system calls to be executed from macros (if this was not the case, OLE technology wouldn't work, and interoperation between Windows programs can't occur, thereby crippling the system through bad design regardless of which alternative was chosen) Jon ------------------------------------------------------------------------------ Jon Lasser <jlasser@rwd.goucher.edu> (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key.

Actually it allows you to imbed data and commands to run. What the latest MSWord virus did is imbed a virus dropper encoded in the word document and then run it trough the dos debug command to make it a binary file (if you ever read the 40HEX virus magazine you should know how this works).

From there it just run the dropper.

Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 On Fri, 22 Sep 1995 dmandl@panix.com wrote:

Is that the new MS-Word you're thinking of? I hear that it lets you imbed macros containing executable code in documents. That's got to be one of the most dangerous ideas ever cooked up.

--Dave.

-- Dave Mandl dmandl@panix.com http://wfmu.org/~davem

-----BEGIN PGP SIGNED MESSAGE----- While browsing my mail I noticed that Jeff Weinstein wrote:

OK, Perry was right, and it was wrong of me to argue with him based only on the code that I have personally seen. As we have already determined, I have not reviewed every line of code in netscape.

Not that I want to divert attention away from netscape(OK, maybe I do :-) ), but does this bug exist in any other common browser?

--Jeff

-- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.

TkWWW under Linux 1.2.12 dies with a Segmentation Fault with this bug :( - -- =====================PGP Encrypted Mail Preferred======================== PGP Public Keys: 1024/BEB3ED71 & 2047/D9E1F2E9 on request. As soon as any man says of the affairs of the state " What does it matter to me? " the state may be given up for lost. J.J.Rousseau - The Social Contract GAT/E/O d++@>- H--- s: a29 C+++$ UL++++($) P+>+++ L++>++++ E W+++ N++ K- w---- O- M- V-- PS+ PE++ Y+ PGP+++ t 5+ X R* tv b++ DI++ D++ G++ e h+ r y++ [Geek Code v3.0] a.k.a [ root@magus.dgsys.com / vamagus@delphi.com] ========================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAgUBMGMWyLbmxeO+s+1xAQEa4gP8DLVEoZwrVtqMpztIrCH6sSAdEoUZf3jU c2AgSNwvqv4/CbGeTxZ7UBFO4hjbUJPlmvwfY0J6yAfsKnYvSxKL55VtbAQzSuac 2KjUSIUh23wpe9hpJaURpK8NM6tlDs2GsoVmdIRL1wFpdwurAeijH1JhSqrJFdKN b+/jeyTw9+0= =7ZJq -----END PGP SIGNATURE-----