Skip to page content or Skip to Accesskey List.

Work

Main Page Content

Security Hole In Netscape Buffer Overflow

Posted on 06 Sep 1999

in News

by Elfur Logadòttir (elfur)

Rated 3.89 (Ratings: 0)

Want more?

  • More articles in News
 
Picture of elfur

Elfur Logadòttir

Member info

User since: 14 Dec 1998

Articles written: 4

A new security hole, caused by a buffer overflow bug has been discovered in at least some Netscape 4.x browsers.

The security hole, involving the use of the EMBED tag with a very long PLUGINSPAGE attribute leaves the victims machine vulnerable to any command execution. This means a hostile page can run arbitrary code in the browser and can inject a virus or trojans.

An example has been written and put online. The example overwrites the handling address of the access violation and the exploit code is called when the access violation is caused. The example was coded for Win98, but accordingly WinNT and Win95 contain the same problem. This is a serious problem that can't be avoided. Some have even stated that you should switch to other browsers before and until Netscape comes up with a fix and the least you should do if you use Netscape to read mail, is to make sure that HTML mail is disabled and if you can't do that, switch to other mail clients.

I will not post the location of the example pages with the exploit code, but a trimmed example that will not cause your computer any harm. If correctly executed, it could still crash your browser.

Note: The embed tag has to be on one line and the comment tags removed.

---------cut here-------

<HTML>

<HEAD>

<TITLE>Test</TITLE>

</HEAD>

<BODY>

<!-- EMBED SRC="netscape bug"

PLUGINSPAGE="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaa"

TYPE="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" WIDTH="1500"

HEIGHT="1000"> </EMBED -->

</BODY>

</HTML>

---------cut here---------

Credits:

I first noticed it at web design forum's (mailing list), but later learned that it had been posted on Bugtraq last Thursday, this news flash is generated from both places.

Elfur Logadòttir (elfur) is The Icelandic One. She is a student, a freelance Web developer, a mother, a soccer club manager, a founding member of evolt.org and evolt.org's current secretary. Elfur has been attached to the Web since it's early days, when the likes of Netscape 1.0 were The Ultimate Experience and Wired was the place to love.

The access keys for this page are: ALT (Control on a Mac) plus:

evolt.org Evolt.org is an all-volunteer resource for web developers made up of a discussion list, a browser archive, and member-submitted articles. This article is the property of its author, please do not redistribute or use elsewhere without checking with the author.