-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Nico de Koo Index : S-97-52 Distribution : World Page : 1 Classification: External Version: 1 Subject : Netscape Navigator Security Vulnerability Date : 01-Jul-97 =============================================================================== By courtesy of Netscape Comm, Inc. and CIAC (The U.S. Department of Energy Computer Incident Advisory Capability) we received information on a vulnerability in Netscape Navigator and Communicator. CERT-NL recommends to apply the workaround or the appropriate patch provided below. ______________________________________________________________________________ PROBLEM: A problem has been identified in the Netscape Navigator. PLATFORM: All platforms running Netscape Navigator 2.0, 3.0, and Communicator 4.0. DAMAGE: This vulnerability may allow a Web site operator to retrieve known files from the hard disks of visiting users by mimicking the submission of a form. SOLUTION: Apply the workaround or the appropriate patch provided below. ______________________________________________________________________________ VULNERABILITY The exploit is not currently available but knownledge of this ASSESSMENT: vulnerability has been highly publicized by the media. ______________________________________________________________________________ Introduction ============ Recently, the Internet community was made aware of a bug in the Netscape Navigator. Netscape engineers were able to recreated the bug in Netscape Communicator and Navigator 2.0 and 3.0. Known as the privacy bug, it may allow a Web site operator to retrieve known files from the hard disks of visiting users by mimicking the submission of a form. Under ordinary circumstances, users browsing on known, trusted sites are not at risk. However, if a user visits an unknown, untrusted site, the operator of that site could potentially retrieve files from a user's hard disk through an obscure series of steps. To access a file on the hard drive the Web site operator would need to know the exact name and location of the file. Even though the bug has been highly publicized, this factor in itself limits the possibility of this vulnerability being exploited. Netscape released the following statement: "The execution of this attack requires specific knowledge of the user's machine to cause harm and so is unlikely to be reproduced. Because this specific bug has existed for more than a year and a half since Navigator 2.0 -- and Netscape has never had a report about this bug or any loss based on this bug -- we believe the risk to users from this bug is relatively low." CIAC recommends that you apply the workarounds or the appropriate patch provided below. Workarounds =========== To remove any risk of this bug, Navigator users should download the updated version of Communicator or Navigator, that includes the fix. In the interim, users of Navigator 3.0 and Communicator 4.0 can take the following steps to enable warning dialog boxes to detect and cancel form submissions: In Navigator 3.0: Go to the Options menu and select Security Preferences. Select the "Submitting a Form Insecurely" preference to enable that warning dialog box. In Navigator 4.0: Select the lock in the toolbar to open the Security Advisor. Select Navigator, then select the "Sending Unencrypted Information to a Site" preference to enable that warning dialog box. Patches or Upgrades =================== Communicator 4.01 for Windows (includes the fix for privacy bug) http://home.netscape.com/download/client_download.html?communicator4.01 Navigator 3.0 Fix pending per Netscape ______________________________________________________________________________ CERT-NL wishes to acknowledge the contributions of Netscape and CIAC for the information contained in this bulletin. ______________________________________________________________________________ ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 52 87 92 82 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 52 87 92 82 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBM7lE8UU5nQkWIq1FAQGfFAQAkmphwDctt7QxOjcM9/jmwz2PVRKEVPeH O6AdcWKLgv7XunkZoQmO4M+4cT/BKiS1HlJnhvTjzrJJavkZHpibByONgKZGjZSW S44UUMplhIMdk73j1IZYizRP9+2VQUoqBveuoj0rIolP4GwkUIhbZF4cjDB5y+rd S8qgO0IqZgU= =u8GP -----END PGP SIGNATURE-----