Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Progeny Security Advisory: Netscape Navigator fails to protect privacy

Apr 20, 2001, 20:30 (4 Talkback[s])
From: Progeny Security Team <security@progeny.com>
Subject: PROGENY-SA-2001-07: Netscape Navigator fails to protect privacy
Date: Thu, 19 Apr 2001 19:26:36 -0500 (EST)



PROGENY LINUX SYSTEMS -- SECURITY ADVISORY               PROGENY-SA-2001-07

    Topic:          Netscape Navigator fails to protect privacy

    Software:       netscape
    Announced:      2001-04-09
    Credits:        Florian Wesch <fw@dividuum.de>
    Affects:        Progeny Debian (netscape prior to 4.77)
                    Debian GNU/Linux (netscape prior to 4.77)

    Vendor-Status:  New Version Released (4.77 on 2001-03-26)
    Corrected:      2001-04-19
Progeny Only: NO $Id: PROGENY-SA-2001-07,v 1.2 2001/04/20 00:21:42 jdaily Exp $

SYNOPSIS

The Netscape browser sometimes handles JavaScript in an insecure manner. In certain situations, it allows remote web sites to send JavaScript commands in an unorthodox manner that could compromise private data.

PROBLEM DESCRIPTION

GIF-format graphics can contain comments, typically used by graphic designers and editors for recordkeeping. Florian Wesch discovered that the Netscape browser, while displaying a GIF image, can process JavaScript commands stored in GIF comments, and that commands issued in this unorthodox manner can do things that JavaScript commands are usually unable to do.

IMPACT

A web site can gain access to browser history and possibly other data kept in Netscape's browser that wouldn't normally be available.

SOLUTION

Upgrade to a fixed version of Netscape's browser. Netscape Navigator version 4.77 corrects the problem. For your convenience, you may upgrade to the package netscape_4.77-1progeny2.

WORKAROUND

The risk can be avoided without an upgrade by disabling JavaScript in the browser.

UPDATING VIA APT-GET

1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's update repository:

deb http://archive.progeny.com/progeny updates/newton/

2. Update your cache of available packages for apt(8).

Example:

# apt-get update

3. If you are currently running the Netscape browser, please exit the

application.

4. Using apt(8), install the new package. apt(8) will download the

update, verify its integrity with md5, and then install the package on your system with dpkg(8).

Example:

# apt-get install netscape

UPDATING VIA DPKG

We do not recommend upgrading Netscape's browser using dpkg. Please use apt.

MORE INFORMATION

See http://www.securityfocus.com/archive/1/175060 for further details of the vulnerability.

Progeny advisories can be found at http://www.progeny.com/security/.


pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>