Security vulnerabilities

Gopal benakanawari
10IS12F
NITK,Surathkal


XMLHttpRequest Vulnerability

A Ilaw that could potentially allow a malicious web site to read Iiles stored on a user's computer
has been discovered in Netscape 6.1 through 6.2.2 versions oI the Netscape browser. There are
no known instances oI this Ilaw being exploited. Netscape encourages those using versions 6.1
through 6.2.2 to upgrade to the latest browser version, which is not subject to this potential Ilaw.

Sun 1RE (1ava Runtime Environment) Issue

Sun Microsystems has warned users oI a potential issue aIIecting the Sun Java Runtime
Environment Bytecode VeriIier and has made the remedy available to its Java technology
licensees. Netscape is not aware oI any instances oI this Ilaw being exploited. Netscape has
released the Netscape 6.2.2 browser, which is not subject to this potential vulnerability, and
encourages Netscape Communicator users as well as Netscape 6.x users to upgrade to the latest
Netscape soItware at: NETSCAPE.1command.com

Sun 1VM (1ava Virtual Machine) Issue

Sun Microsystems has warned users oI a potential issue aIIecting the Sun Java Virtual Machine
(JVM) and has released a new Sun JVM plug-in, which avoids this issue. Although there are no
known instances oI this issue ever actually occurring, Netscape encourages Netscape
Communicator users as well as users who are running the complete installations (which include
the Sun JVM) oI Netscape 6.0, 6.01 and 6.1 to upgrade to the latest Netscape soItware. Netscape
6.2 and above include the Sun JVM plug-in and are not subject to this potential issue.

Cookie Vulnerability

A Ilaw that could potentially allow a malicious web site to read the cookies that another site has
stored on a user's computer has been discovered in Netscape 6 through 6.2 versions oI the
Netscape browser. There are no known instances oI this Ilaw being exploited. This issue does not
aIIect users oI Netscape 6.2.1, nor does it aIIect users oI Netscape Communicator 4.x versions.
We encourage those using Netscape versions 6 through 6.2 to upgrade to the latest browser
version.

SmartDownload Exploit

A potential exploit was discovered Ior Netscape SmartDownload version 1.3 in which a buIIer
overIlow could potentially be used to execute malicious code on a user's computer. The potential
exploit aIIects Netscape 4.x or Internet Explorer Browser users with SmartDownload 1.3
installed on their computer. This does not aIIect users running Netscape 6. Netscape has issued
SmartDownload version 1.5 which avoids the potential exploit. Although there are no known
instances oI this exploit ever actually occurring, upgrading to version 1.5 will ensure that you are
not aIIected. We encourage users to upgrade to the latest Netscape browser version.

The Brown Orifice Vulnerability (August 8, 2000)

This vulnerability has been identiIied in Netscape Communicator versions 4.0 through 4.74 on
Windows, Macintosh and Unix operating systems. This vulnerability does not aIIect Netscape 6.
Netscape has released Netscape 4.76 and Netscape 6 browser versions, which are not subject to
this vulnerability. We encourage users to upgrade to the latest Netscape browser version.

eMail Wiretapping Exploit

An exploit that could potentially aIIect Netscape 6 Mail users has been discovered. This exploit
could allow the originator oI an email message to include hidden JavaScript code in an
attachment so that the originator is copied on all Iorwarded versions oI the message. There are no
known instances oI this exploit, which does not aIIect users oI Netscape Communicator. This
exploit does not aIIect users oI Netscape 6.01. We encourage users to upgrade to the latest
Netscape browser version.

1avaScript Cookie Exploit (May 2, 2000)

An exploit was reported Ior Netscape Communicator 4.72 and earlier in which a hostile site can
read the links in a user's bookmark Iile and some attributes oI HTML Iiles iI the user's proIile
name and the Communicator installation directory path are known to the hostile site. This exploit
has been Iixed in Netscape Communicator 4.73. Users oI previous Communicator versions can
use any oI Iour techniques to prevent the exploit. We encourage users to upgrade to the latest
Netscape browser version.

The Acros-Suencksen SSL Vulnerability

This vulnerability, which could allow a malicious web master to intercept secure data via an
SSL connection, has been identiIied and Iixed in both the Personal Security Manager (PSM) Ior
Netscape Communicator and Netscape Communicator version 4.73. Netscape Communicator 4.x
users can protect themselves Irom this vulnerability by installing the most recent version oI the
Netscape client.

1ava Security Vulnerability (March 29, 1999)

Netscape has been alerted to a security vulnerability in the implementation oI Java that aIIects
Windows, Mac OS, and UNIX versions oI Netscape Communicator and Netscape Navigator
4.0x and higher. It does not appear to aIIect previous versions oI Navigator. For more details,
read the update. This vulnerability has since been identiIied and Iixed in Netscape 4.51. We
encourage users to upgrade to the latest Netscape browser version.

The Frame-Spoofing Vulnerability (January 7, 1999)

Netscape was alerted to a security vulnerability that aIIects versions oI Netscape Navigator on
all available platIorms that support the use oI Irames, including versions 2.0 through 4.5. The
bug has been Iixed in Communicator 4.51 and we encourage users to upgrade to the latest
Netscape browser version. For more details on this vulnerability, read the update.

1avaScript Cache Browsing Bug (October 29, 1998)

Netscape was alerted to a security vulnerability that aIIects Netscape Navigator 3.04 and 4.07
and Netscape Communicator 4.5. (Note: Mac OS and Unix versions are NOT aIIected.) The bug
has been Iixed in the latest version, Communicator 4.51. For more details on this vulnerability,
read the update. We encourage users to upgrade to the latest Netscape browser version.

Injection Bug (October 29, 1998)

Netscape was alerted to a privacy vulnerability that aIIects the Netscape Navigator browser. The
Injection bug aIIects Navigator 3.x and Netscape Communicator 4.0 to 4.07 as well as the two
prerelease beta versions oI Communicator 4.5 Ior all platIorms. The bug has been Iixed in the
Iinal released version oI Communicator 4.5. For more details on this vulnerability, read the
update. We encourage users to upgrade to the latest Netscape browser version.

1ava Script Technology in Email (September 18, 1998)

Netscape was recently contacted about the potential Ior undesired behavior in HTML-based
email clients that run JavaScript. For more details on this vulnerability, read the update. We
encourage users to upgrade to the latest Netscape browser version.

No-Cache Meta-Tag Bug (October 29, 1998)

This bug, which has been identiIied and Iixed in Netscape Communicator 4.08, represents a
behavioral change in how Netscape Navigator handles local memory cache in versions oI
Netscape Communicator 4.07 to 4.5. It aIIects only secure web pages and only iI multiple people
use the same physical desktop PC. It in no way results in lost or stolen data over the Internet. For
more details on this vulnerability, read the update. We encourage users to upgrade to the latest
Netscape browser version.

MIME Type Buffer Overflow Vulnerability (November 6, 1998)

This bug has been identiIied and Iixed in Netscape Communicator 4.08. For more details on this
vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser
version.