Re: netscape security hole
Dear
On Tue, Aug 08, 2000 at 05:44:45PM -0400, David Teague wrote:
>
> On NPR's Morning Edition they described a security hole in Netscape
> versions 4.73 and earlier that allows 'infection' by access to
> 'nasty' web sites. It is said to put your hard drive at risk some
> way.
>
> I assume this is a Windows problem, BUT does anybody know what this
> hole is and whether Linux is susceptible? (Probably only the user's
> files would be at risk at worst.)
>
That is a hole in Netscape & SDK which it internally uses. What happens
is simply that javascript executes (very fast and without notice) and
it makes your Netscape a web-server. Your IP could be tracked down by
the server where you got the javascript, and somebody else could browse
through your files, and take informations. However, the hole is in the
Netscape, they can't browse directories which are disabled to be readable
by "others".
Files could be deleted or read, if one set it up in that javascript.
That hole in Netscape is not the hole in Linux or in Debian OS, because
there are also other ways to intrude the system and see what is there.
It is responsibility of the system administrator to ensure what kind of
software does he install and if he can trust that company which made it.
But anybody who has properly set up the ipchains, should be pretty much
secure and imune to that. That java-web-server runs on some different port,
so if you you know ports you allow to access and which services should
run on those ports, even when you execute that javascript, nobody could
access any of your files.
The story is somewhere on /.
Sincerely,
Marko Cehaja
Reply to: