[plug] Netscape insecurity

Christian christian at global.net.au
Fri Aug 27 13:21:17 WST 1999 

On Fri, 27 Aug 1999, Bret Busby wrote:
> On page 152 of the printed magazine, in reference to Netscape 4.61, it says,
> 
> "Within days of the update's release, Bulgarian browser-security sleuth George
> Guninski found three flaws. These holes allow HTML authors to access your
> Navigator bookmarks, cache, and configuration files; browse your hard disk; and
> read local files on your system. For more details about these security gaps,
> walk over to some other unsuspecting fool's computer and check out Guninski's
> Web site at www.nat.bg/~joro."
> I did not go for a demonstration, in case it attacked my system.
> Given that Linux, as a version of UNIX, has password security to an extent that
> Windows does not, (even if not using the firewalling software that is part of
> Linux), do these security risks apply to the Netscape for Linux? And, therefore,
> is the password security of Linux defeated by using Netscape 4.61?

The password security obviously prevents you (=processes running with your
privileges) from reading/writing etc. objects for which you do not have
appropriate permissions.  Since Netscape runs as you and therefore
represents you then it can only do things that you can do on a given
system.  Under Windows the user has complete control over the machine and
therefore any proceses running as that user can do anything they want.
Under Linux each process' power is restricted to the user who ran it (in
most cases).  Hence under Linux this application bug can only do whatever
you could do yourself.
 
> I am concerned that, if we install Netscape 4.61, and those security risks
> exist, that it will provide a risk that we would not otherwise have.

Netscape introduces a new set of security issues, as do a lot of different
applications.  In most cases Netscape's vulnerabilities are dependent on
JavaScript being switched on so you can minimise your risk by switching it
off except for when you absolutely need it.  Also beware that some
versions of Netscape (particularly some linked against glibc2) had a bug
whereby JavaScript would not actually go off despite the status of the
preferences.  I doubt Netscape will rush to fix these problems since they
are not widely known amongst the general public and hence they see no real
need.

If you are still worried then go and read up on these particular
vulnerabilities, how they work and how to deal with them.  In most cases
sensible browsing practices (especially having JavaScript turned off)
strongly reduce the level of risk.

Regards,

Christian.

============================================================================
"Those who do not understand Unix are condemned to reinvent it, poorly."
                					-- Henry Spencer

More information about the plug mailing list