FW: NASIRC BULLETIN - B-96-11: (WWW Netscap) Netscape 2.0
Turba, Thomas N RV (tnt1@PO11.RV.UNISYS.COM)
Thu, 14 Mar 1996 14:03:00 CST
With so many Scouters now accessing web pages, and many of them using
Netscape, I thought it best to pass along this bulletin. Please note that
part of the bulletin has been chopped so that it would fit the 300 line
T. N. T.
To: (NASIRC General Distribution)
Subject: NASIRC BULLETIN - B-96-11: (WWW Netscap) Netscape 2.0 Security
Date: Monday, March 11, 1996 12:13AM
-----BEGIN PGP SIGNED MESSAGE-----
NASIRC BULLETIN B-96-11 March 11, 1996
Netscape 2.0 Security Risks
NASA Automated Systems Incident Response Capability
__ __ __ ___ ___ ____ ____
/_/\ /_/| /_/\ / _/\ /_/| / __/ \ / __/\
| |\ \| || / \ \ | /\/ | || | /\ \/ | | \/
| ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | |
| || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
|_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/
Serving NASA and the International Aerospace Communities
This bulletin reports a recently announced security vulner-
ability. It may contain a workaround or software
patch. Bulletins should be considered urgent as vulnera-
bility information is likely to be widely known by the time
a patch is issued or other solutions are developed.
It has been reported to NASIRC that several security
vulnerabilities exist in the released version of the Netscape
Navigator WWW browser.
The current implementation of the Netscape Navigator (Version
2.0) includes support for two programming environments: Java and
not be disabled and poses a security risk to systems which access
Any system running Netscape 2.0 or a Beta version of Netscape
2.0, including UNIX, Windows '95, Windows NT, and Macintosh, are
JAVA PROBLEM DESCRIPTION
Java is a new programming language from Sun Microsystems. The
language is intended to be portable across operating systems
(UNIX, DOS, Microsoft Windows, OS/2, etc). Java allows WWW
authors to create applets (downloadable applications) that will
run on the remote WWW browsers. The Java Applet Security Manager
was designed to prevent applets' misuse of the client computer to
create security vulnerabilities. However, a vulnerability was
discovered in the Netscape implementation of the security
manager. A correctly written applet, in combination with
information from a subverted DNS server, is able to make
connections to an arbitrary host, and exploit any possible
vulnerabilities on that arbitrary host. This is particularly
serious if that arbitrary host is behind a firewall, and not as
secure as it could be, relying on the firewall to protect it.
Accessing a WWW page containing such an applets will by-pass the
effectiveness of the firewall.
Java can be disabled in Netscape Navigator 2.0 clients under the
"Options" menu. Netscape has made a patch available to fix the
Java Applet Security Manager vulnerability in Netscape 2.0. More
details about the Java vulnerability and patch information are
embedded in HTML documents. This is another language that causes
resembles Java, but lacks Java's strong type checking.
o grab the E-mail address of the WWW browser user
o monitor the contents of the client cache of pages visited
o display a directory listing of any user-accessible disks on
Another "exploit" script demonstrates a denial-of-service attack
by continuously creating empty windows until the resources of the
user's system are depleted. Netscape Navigator 2.0 is not
functionality in Netscape Navigator 2.0.
Users should not use any version of Netscape 2.0 or any Beta
version of Netscape 2.0 as a WWW browser to visit any untrusted
WWW sites. Users and systems administrators should revert their
sites to Netscape Version 1.1, or use another WWW browser.
Netscape has announced to the press that Netscape Navigator 2.01
will address all known security vulnerabilities in the Java
Applet Security Manager and include an option to disable
WORKAROUND SOLUTION TO THE JAVA VULNERABILITY
For those sites that must use Netscape 2.0, a patch exists that
addresses the Java vulnerability. Users should be aware that
several other vulnerabilities existed in the Beta versions of
Netscape 2.0. These Beta versions should be discarded. Applying
The patch is available from NASIRC at
Users should be sure to download the file in binary mode. A PGP
signature of the patch file can be obtained from
************ chopped text ****************
Larry Schwimmer of Stanford University has written the following
script is written in the Perl scripting language (available from
****************** chopped text ******************
The most current version of "democha" will be available from
with a PGP signature of the file at
The current version of the script has been tested with Netscape
2.0 for several variants of UNIX, Macintosh, and Windows (32bit).
For PC and Macintosh platforms users can copy the Netscape binary
file to a UNIX machine with Perl, run the script against the
binary, and return the binary to the PC. This script is not
at the time. It may have the side-effect of crashing the browser
Note that the "democha" patch does not address the JAVA Applet
Security Manager vulnerability. The Netscape Java Applet
Security Manager patch should be applied in conjunction with this
NASIRC ACKNOWLEDGES: Emma Kolstad Antunes of GSFC,
Karen Kinsley of LARC, Steven McLaughlin of GSFC,
Bruce O'Neel of GSFC, and a myriad contributors
to the WWW Security Mailing List
providing information, Larry Schwimmer and
Stephen Hansen of Stanford University for
providing the "democha" script, and AUSCERT for
helpful commentary on drafts of this bulletin.
Please contact NASIRC if there are any questions about this
Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853
International: +1-301-441-4398 STU III: 1-301-982-5480
Internet E-Mail: email@example.com
24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
FTP: nasirc.nasa.gov, login "anonymous"
This advisory may be forwarded without restriction to sites and
system administrators within the NASA community.
Anyone requiring assistance or wishing to report a security
incident but not operating in support of NASA may contact
the Forum of Incident Response and Security Teams (FIRST),
an international organization of incident response teams,
to determine their appropriate team. A list of FIRST member
organizations and their constituencies may be obtained by
sending E-Mail to "firstname.lastname@example.org" with an empty "subject"
line and a message body containing the line "send first-contacts"
or via WWW at http://www.first.org/first .
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
----- End of Forwarded message -----
Terry Howerton Sakima Group, Inc. SCOUTER Magazine Kansas City