Netscape 2.01 fixes server vulnerabilities by breaking the client...

[Steve Gibbons]

(This was previously posted to cypherpunks list, I have expanded the 
distribution to the firewalls list due to the content.)

In Article: <315C8FCB.2781 at netscape.com>, Tom Weinstein <tomw at netscape.com> wrote:
# Rich Graves wrote:
# > 
# > Now I suppose they'll want me to fix all the pages where I do a finger
# > with a gopher://host:79/0user Any chance this nonfix can be unfixed?
# > 
# > This nonfix was applied to the UNIX and Win32 versions; I haven't
# > checked the other platforms.

# It may be unpleasant, but it's a fact that there was a real security
# hole here.  There is a well known buffer overrun bug in finger that a
# lot of people inside firewalls haven't fixed.  Using gopher: URLs
# in IMG tags it was possible to do nasty things.  We tried to err on
# the side of permissivity, but finger was one port we just couldn't
# allow.  Yes, it sucks.  So does someone reaching through your firewall
# and running commands as root.

Let's look at this from the perspective of a company with a firewall:
    Q: Do I want my users dictating what's allowed?
    A: Probably not.

    Q: Do I want my software vendors dictating what's allowed?
    A: Maybe not.

    Real Q1: When are sun/netscape/browser-vendor-x going to provide
    standardized, secure, multi-teired configuration options?

    Real Q2: It seams to me that most of the standard TCP protocols that a
    gopher client can talk to should have similarly standard protocol-specifiers
    for the URL.  Browser vendors are in a perfect position to say "this lack
    of synchronization is a real problem" and "It's bitten us already" and to 
    take care of the problem by proposing RFCs.  

    Real Q3: (Somewhat off-topic) when are signed applets going to appear?

    comprehensive standards coupled with multi-teired configuration options 
    would allow real-world customers and their net-neighbors to sleep a little 
    better at night.

--
Steve at AZTech.Net