---

Home Security

Progeny Security Advisory: Netscape Navigator fails to protect privacy

By 
From: Progeny Security Team <security@progeny.com>
Subject: PROGENY-SA-2001-07: Netscape Navigator fails to protect privacy
Date: Thu, 19 Apr 2001 19:26:36 -0500 (EST)



PROGENY LINUX SYSTEMS -- SECURITY ADVISORY               PROGENY-SA-2001-07

    Topic:          Netscape Navigator fails to protect privacy

    Software:       netscape
    Announced:      2001-04-09
    Credits:        Florian Wesch <fw@dividuum.de>
    Affects:        Progeny Debian (netscape prior to 4.77)
                    Debian GNU/Linux (netscape prior to 4.77)

    Vendor-Status:  New Version Released (4.77 on 2001-03-26)
    Corrected:      2001-04-19
    Progeny Only:   NO

    $Id: PROGENY-SA-2001-07,v 1.2 2001/04/20 00:21:42 jdaily Exp $

SYNOPSIS

The Netscape browser sometimes handles JavaScript in an insecure
manner. In certain situations, it allows remote web sites to send
JavaScript commands in an unorthodox manner that could compromise
private data.

PROBLEM DESCRIPTION

GIF-format graphics can contain comments, typically used by
graphic designers and editors for recordkeeping. Florian Wesch
discovered that the Netscape browser, while displaying a GIF image,
can process JavaScript commands stored in GIF comments, and that
commands issued in this unorthodox manner can do things that
JavaScript commands are usually unable to do.

IMPACT

A web site can gain access to browser history and possibly other
data kept in Netscape’s browser that wouldn’t normally be
available.

SOLUTION

Upgrade to a fixed version of Netscape’s browser. Netscape
Navigator version 4.77 corrects the problem. For your convenience,
you may upgrade to the package netscape_4.77-1progeny2.

WORKAROUND

The risk can be avoided without an upgrade by disabling
JavaScript in the browser.

UPDATING VIA APT-GET

1. Ensure that your /etc/apt/sources.list file has a URI for
Progeny’s update repository:

deb http://archive.progeny.com/progeny updates/newton/

2. Update your cache of available packages for apt(8).

Example:

# apt-get update

3. If you are currently running the Netscape browser, please
exit the

application.

4. Using apt(8), install the new package. apt(8) will download
the

update, verify its integrity with md5, and then install the
package on your system with dpkg(8).

Example:

# apt-get install netscape

UPDATING VIA DPKG

We do not recommend upgrading Netscape’s browser using dpkg.
Please use apt.

MORE INFORMATION

See http://www.securityfocus.com/archive/1/175060
for further details of the vulnerability.

Progeny advisories can be found at http://www.progeny.com/security/.

pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.