Netscape 2.01 is coming.

I Find Karma (adam@cs.caltech.edu)
Mon, 11 Mar 96 13:26:59 PST


These three are from Netsurfer Digest this morning.

Adam

YET MORE SERIOUS SECURITY PROBLEMS WITH WINDOWS WEB SERVERS

NT Netscape server, Website, and Microsoft Internet Information Server
are vulnerable. It's possible for hackers to execute arbitrary DOS
commands on these servers because they can pass commands unchecked to
the DOS command interpreter. Patches are available for the Microsoft
server, but the others remain vulnerable. More technical details are
available at these sites.
<URL:http://www.netcraft.com/security/http/cgi_dos.html>
<URL:http://www.omna.com/iis-bug.htm>

NETSCAPE 2.0 JAVA SECURITY HOLE AND FIX

The culprit is the Java Applet Security Manager, a small section of
software that ensures a Java applet can only contact the host from
which it is downloaded. The Security Manager figures out which
computer it came from by querying the Domain Name System (DNS), and
DNS spoofing by hackers could result in access to computers behind a
firewall. Netscape has a fix available for downloading, with more
technical information. It appears that Sun's JDK development kit is
also affected. Further info is available from CERT.
Netscape Fix: <URL:http://home.netscape.com/newsref/std/java_security.html>
CERT: <URL:ftp://info.cert.org/pub/cert_advisories/CA-9
6.05.java_applet_security_mgr>

NETSCAPE JAVA SCRIPT SECURITY HOLE AND NO FIX (YET)

The language, JavaScript - not the same as Sun's Java language -
allows Web servers to 1) secretly record file names (only) from a
websurfer's hard drive, and 2) secretly induce a websurfer's computer
to send e-mail to a third party. Netscape announced they will
introduce version 2.01, which will eliminate these bugs and allow
users to turn off JavaScript, next week. The following two pages have
more information on these and other possible security problems with
JavaScript. <URL:http://www.c2.org/~aelana/javascript.html>
<URL:http://www.osf.org/~loverso/javascript/>