Date: Tue, 16 Mar 1999 11:09:41 PST From: Georgi Guninski To: BUGTRAQ@netspace.org Subject: Re: Netscape upgrade >FYI... > >Netscape has released version 4.51 of Communicator. It seems to fix the >window spoofing bug ( http://www.geek-girl.com/bugtraq/1999_1/0747.html ), >along with the javascript bugs that can be used to read local files >from >your hard drive. I verifed this by trying the exploits at >http://www.whitehats.com/guninski/netscape.html > Netscape Communicator is a great product. Sure, it has great security improvements. I like and use it. But it does not fix all of the exploits at http://www.whitehats.com/guninski/netscape.html. I have tested (NC 4.51 Win95) and had some reports that the exploit http://www.whitehats.com/guninski/nsfind.html (or http://www.nat.bg/~joro/nsfind.html) still works on Netscape Communicator 4.51. I would recommend still disabling JavaScript when browsing untrusted sites. Excuse me, if I am wrong. Regards, Georgi Guninski Get Your Private, Free Email at http://www.hotmail.com --------------------------------------------------------------------------- Date: Tue, 16 Mar 1999 11:01:21 -0600 From: Chris Price To: BUGTRAQ@netspace.org Subject: Re: Netscape upgrade I downloaded and installed Netscape 4.51 and I can still run the Javascript exploit that allows access to my harddrive... Is it just me, or does anyone else see this as a gaping security hole for Netscape 4.5x users...... Chris Keith Young wrote: > FYI... > > Netscape has released version 4.51 of Communicator. It seems to fix the > window spoofing bug ( http://www.geek-girl.com/bugtraq/1999_1/0747.html ), > along with the javascript bugs that can be used to read local files from > your hard drive. I verifed this by trying the exploits at > http://www.whitehats.com/guninski/netscape.html > > >From their release notes page ( > http://home.netscape.com/eng/mozilla/4.5/relnotes/windows-4.51.html ) > "Fixes to improve security; in particular, the frame-spoofing > vulnerability problem ( > http://home.netscape.com/products/security/resources/bugs/framespoofing.htm > l )has been fixed" > > You can download version 4.51 at: > http://www.netscape.com/download/ > > --Keith Young > -youngk@ttc.com