Date: Tue, 16 Mar 1999 11:09:41 PST
From: Georgi Guninski <guninski@HOTMAIL.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Netscape upgrade

>FYI...
>
>Netscape has released version 4.51 of Communicator. It seems to fix the
>window spoofing bug ( http://www.geek-girl.com/bugtraq/1999_1/0747.html
),
>along with the javascript bugs that can be used to read local files
>from
>your hard drive. I verifed this by trying the exploits at
>http://www.whitehats.com/guninski/netscape.html
>

Netscape Communicator is a great product. Sure, it has great security
improvements. I like and use it. But it does not fix all of the exploits
at http://www.whitehats.com/guninski/netscape.html. I have tested (NC
4.51 Win95) and had some reports that the exploit
http://www.whitehats.com/guninski/nsfind.html (or
http://www.nat.bg/~joro/nsfind.html) still works on Netscape
Communicator 4.51. I would recommend still disabling JavaScript when
browsing untrusted sites.

Excuse me, if I am wrong.

Regards,
Georgi Guninski

Get Your Private, Free Email at http://www.hotmail.com

---------------------------------------------------------------------------

Date: Tue, 16 Mar 1999 11:01:21 -0600
From: Chris Price <cprice@ITS.TO>
To: BUGTRAQ@netspace.org
Subject: Re: Netscape upgrade

    I downloaded and installed Netscape 4.51 and I can still run the Javascript
exploit that allows access to my harddrive...

    Is it just me, or does anyone else see this as a gaping security hole for
Netscape 4.5x users......

    Chris

Keith Young wrote:

> FYI...
>
> Netscape has released version 4.51 of Communicator. It seems to fix the
> window spoofing bug ( http://www.geek-girl.com/bugtraq/1999_1/0747.html ),
> along with the javascript bugs that can be used to read local files from
> your hard drive. I verifed this by trying the exploits at
> http://www.whitehats.com/guninski/netscape.html
>
> >From their release notes page (
> http://home.netscape.com/eng/mozilla/4.5/relnotes/windows-4.51.html )
>      "Fixes to improve security; in particular, the frame-spoofing
> vulnerability problem (
> http://home.netscape.com/products/security/resources/bugs/framespoofing.htm
> l )has been fixed"
>
> You can download version 4.51 at:
>      http://www.netscape.com/download/
>
> --Keith Young
> -youngk@ttc.com