'Highly critical' flaw reported for Netscape software

An unpatched flaw in some versions of the Netscape browser could let an attacker into vulnerable systems, security company Secunia has warned.

The vulnerability is "highly critical," according to an advisory released by the Danish company late Tuesday. Version 6.2.3 and 7.2 of Netscape are affected and other versions may also be susceptible, the company said.

The flaw could allow a hacker to launch a buffer overflow attack, which could crash the browser or enable the attacker to execute code on the compromised system. A patch has not been created, according to Secunia.

A Netscape representative recommended on Wednesday that people upgrade to version 8.0 of the software, which is based on Firefox code and should not be affected by the flaw.

Secunia's advice for dealing with the issue is to "use another product."

[Anon-Y-mous]

"Use another browser"

Of course this one will never make front page CNN news. But clear proof that NO ONE can make a safe computer program. Now lets debate things at a realistic level. Netscape can't make a secure browser, neither can MS. DRAW. Now improve both of them, and make everything better.

Of course NO ONE can make a safe computer program

I've been going hoarse trying to say this - it simply is NOT possible to write thousands of lines of code, without there being bugs in it - get used to it. Everyone can keep complaining & demanding "perfect code" but it ain't gonna happen.

But understand the difference between software flaws and flaws in other products (such as cars or kitchen devices or toys or anything else), with software, people deliberately set out to TRY TO BREAK IT. This does not happen for other products - you want to ***** - ***** about the people trying to exploit the bugs.

Run for your lives...

Netscape has a mayor security flaw? Quick! warn the 0.05% of the market that still uses the browser :D

[Greenbeanx]

So what else is there?

I'll go back to IE..that makes me feel very secure..whew..crisis adverted..

Every piece of software has bugs..were are not perfect...plus people are ripping it apart. I'm on Fiefox..never really had a problem, stable and I enjoy the tabbed browsing..of course it does have security flaws but what doesn't?

Opera 8

I tried Firefox, but couldn't get it to work for some things. But I just downloaded Opera 8 & it seems to work pretty well. It was OK before, but the GUI wasn't all that intuitive. Now they've improved the GUI, I quite like Opera.

Yeah yeah

So the COULD execute some code. But as with the majority of bugs the exploit is near impossible. Let alone that it's system dependent. I'm feeling quite secure with my linux box and firefox. Why? Because I never had any problems that I had with windows viruses/adware. And now windows PCs can be infected via pictures. I say use what you like and if an exploit comes out it will only prove it once again that it's not the software but the operating system that has the most part in the problems. I'm waiting for the moment that'll prove me otherwise but 'till then I'm on Unix and clones.

[gfsdfge]

Your right, it has to be M$ fault,

But I don't recall anyone saying th bug is only on windows...

[alegr]

Picture vulnerability? Firefox used to have it, too

http://www.securityfocus.com/bid/12881

[Macsaresafer]

I'll bet my system is unaffected.

A buffer overflow in an application like Netscape can take over
the system? LOL, they must be talking about Windows.

If I were using Netscape on a regular basis, I wouldn't hesitate to
continue. Of course, my system is much more secure than a
Windows based box.

[aabcdefghij987654321]

You lose the bet

See my reply to your other nearly identical message.

You are not safe to use Netscape.

[alegr]

Not that simple

There are different classes of vulnerabiities.
For example, a buffer overflow in an user application may allow for arbitrary code execution. Note that NoExecute feature (NPX in Linux) is not bulletproof, it only saves you from executing code from stack, but it doesn't protect you from specifically crafted return/argument sequence which would copy the buffer to executable area and then run it.

That said, arbitrary code execution in user mode app running under non-privileged user is not the worst thing. It can install keyloggers that will only work under your account, though, and can install other parasitic software.
But combined with privilege elevation vulnerability, local code execution allows to completely own your machine, no matter what account you're logged on.

Now go to some vulnerability reporting site and search for remote code execution and privilige elevation vulnerabilities for your favorite secure unbreakable OS and your favorite secure unbreakable browser. You will see they exist.

ignorance

wow the ignorance in your post is amazing. You are the type of users that ensure Linux malware will arrive. There are already 100's of rootkits for it and all they need is your little buffer overflow and then they can take advantage of the endless list of ways to do privilege escalation. PLease please please stop using mozilla and linux/OS X, you give us all a bad name with your ignorance

[David Arbogast]

Other browsers affected too

When applications share a code base, one bug can affect them all. Where are the extra open-source eyes that are supposed to prevent this kind of thing from happening? FireFox, Netscape, Thunderbird.... Their common code base means they all suffer from common bugs.

And far as I can see right now, there is no patch available. Download a complete new version. Uninstall existing version. Install new version. Test features and applications for compatibility problems with existing infrastructure.

Yay.


http://www.kb.cert.org/vuls/id/557948
http://www.mozilla.org/security/announce/mfsa2005-32.html
http://www.mozilla.org/security/announce/mfsa2005-31.html
http://www.mozilla.org/security/announce/mfsa2005-30.html
http://www.mozilla.org/security/announce/mfsa2005-30.html

[Michael Grogan]

Hi Dave...

...glad to see your still in there thumping the drum for M$. How are things in Redmond? Just wanted to point out that you provided 2 links to the same doc. : )

[Kelson]

Uninstall/reinstall no longer necessary for Firefox

Yes, you do still have to download the full installer (all 4 MB of it, which is still annoying for dial-up, but much less on DSL/cable), but with 1.0.3 they've fixed the bug where you had to uninstall the old version first.

[Kelson]

Netscape is near-abandonware. Mozilla is the current version.

Every once in a while, AOL grabs a chunk of Mozilla, adds AIM and a couple of other proprietary features, changes the logos and name, releases it as Netscape, then promptly forgets about it.

Then someone finds a bug in Mozilla, Mozilla fixes it and releases an updated version, and AOL has to be prodded to remember that it's in the same code they used for Netscape. This has only gotten worse since they closed down their browser division (the upcoming Netscape 8 is being developed by an outside company).

If you want security fixes for your Gecko-based web browser, go to the source (pun not intended) and use Mozilla or Firefox. Don't wait for AOL to hire a new batch of temps.