-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
Content-Type: text/plain; charset=us-ascii



===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Don Stikvoort                               Index  :    S-96-13
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Netscape 2.0 Security Risks                 Date   :  11-Mar-96
===============================================================================

By courtesy of NASIRC (the NASA CERT) we received information on 
vulnerabilities in Netscape 2.0 with regards to the Java and JavaScript 
programming environments. The Java problem was mentioned in less detail 
already in S-96-12, the JavaScript problem was not.

If you were planning an upgrade to Netscape 2.0 it seems wise to wait 
at least until 2.01 arrives. If you have pressing reasons to use or
install 2.0, please take very good notice of the below recommendations.

==============================================================================

        NASIRC BULLETIN B-96-11         March 11, 1996

                           Netscape 2.0 Security Risks
         ===========================================================
            NASA Automated Systems Incident Response Capability
               __    __      __      ___   ___  ____     ____
              /_/\  /_/|    /_/\    / _/\ /_/| / __/ \  / __/\
              | |\ \| ||   /  \ \   | /\/ | || | /\ \/  | | \/
              | ||\ \ ||  / /\ \ \   \ \  | || |_\/ /\  | |
              | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
              |_|/  \_|//_/    \_\/ \/__/ |_|/ |_| \_\/ \___\/
          Serving NASA and the International Aerospace Communities
         ===========================================================

         This bulletin reports a recently announced security vulner-
         ability.    It   may   contain   a   workaround or software
         patch.  Bulletins should be considered urgent  as  vulnera-
         bility information is likely to be widely known by the time
         a patch is issued or other solutions are developed.

         ===========================================================

        It has been reported to NASIRC that several security
        vulnerabilities exist in the released version of the Netscape
        Navigator WWW browser.


PROBLEM OVERVIEW

        The current implementation of the Netscape Navigator (Version
        2.0) includes support for two programming environments: Java and
        JavaScript. The implementation of Java contains a security
        vulnerability that can be disabled or patched.  JavaScript can
        not be disabled and poses a security risk to systems which access
        pages containing JavaScript.  A workaround patch is provided to
        disable JavaScript.


SYSTEMS AFFECTED

        Any system running Netscape 2.0 or a Beta version of Netscape
        2.0, including UNIX, Windows '95, Windows NT, and Macintosh, are
        affected.


JAVA PROBLEM DESCRIPTION

        Java is a new programming language from Sun Microsystems. The
        language is intended to be portable across operating systems
        (UNIX, DOS, Microsoft Windows, OS/2, etc).  Java allows WWW
        authors to create applets (downloadable applications) that will
        run on the remote WWW browsers.  The Java Applet Security Manager
        was designed to prevent applets' misuse of the client computer to
        create security vulnerabilities.  However, a vulnerability was
        discovered in the Netscape implementation of the security
        manager.  A correctly written applet, in combination with
        information from a subverted DNS server, is able to make
        connections to an arbitrary host, and exploit any possible
        vulnerabilities on that arbitrary host. This is particularly
        serious if that arbitrary host is behind a firewall, and not as
        secure as it could be, relying on the firewall to protect it.
        Accessing a WWW page containing such an applets will by-pass the
        effectiveness of the firewall.

        Java can be disabled in Netscape Navigator 2.0 clients under the
        "Options" menu.  Netscape has made a patch available to fix the
        Java Applet Security Manager vulnerability in Netscape 2.0.  More
        details about the Java vulnerability and patch information are
        available from

            http://www.netscape.com/newsref/std/java_security.html



JAVASCRIPT PROBLEM DESCRIPTION

        JavaScript is an interpreted language from Netscape that can be
        embedded in HTML documents.  This is another language that causes
        the WWW browser to execute downloaded programs.  JavaScript
        resembles Java, but lacks Java's strong type checking.
        JavaScript demonstration 'exploit' scripts have been created
        which can:

            o grab the E-mail address of the WWW browser user
            o monitor the contents of the client cache of pages visited
            o display a directory listing of any user-accessible disks on the
                browser's host.

        Another "exploit" script demonstrates a denial-of-service attack
        by continuously creating empty windows until the resources of the
        user's system are depleted. Netscape Navigator 2.0 is not
        currently equipped with any mechanism to disable JavaScript.  A
        workaround patch is included that will disable most JavaScript
        functionality in Netscape Navigator 2.0.


RECOMMENDED SOLUTION

        Users should not use any version of Netscape 2.0 or any Beta
        version of Netscape 2.0 as a WWW browser to visit any untrusted
        WWW sites. Users and systems administrators should revert their
        sites to Netscape Version 1.1, or use another WWW browser.
        Netscape has announced to the press that Netscape Navigator 2.01
        will address all known security vulnerabilities in the Java
        Applet Security Manager and include an option to disable
        JavaScript execution on the client.


WORKAROUND SOLUTION TO THE JAVA VULNERABILITY

        For those sites that must use Netscape 2.0, a patch exists that
        addresses the Java vulnerability.  Users should be aware that
        several other vulnerabilities existed in the Beta versions of
        Netscape 2.0. These Beta versions should be discarded.  Applying
        this patch does not address the JavaScript vulnerability.

        The patch is available from NASIRC at

            ftp://nasirc.nasa.gov/patches/Netscape/moz2_0.zip

        Users should be sure to download the file in binary mode.  A PGP
        signature of the patch file can be obtained from

            ftp://nasirc.nasa.gov/patches/Netscape/moz2_0.zip.asc


 +--------------- BEGIN INCLUDED Netscape Patch Installation Instructions 
- ----------------
 |
 | INSTALLATION INSTRUCTIONS FOR JAVA APPLET SECURITY MANAGER PATCH
 |
 | After downloading the patch, follow these installation instructions:
 |
 | For PC users:
 |
 |    1. Close your Netscape Navigator if it is running currently.
 |    2. Replace the existing moz2_0.zip file in your Java classes
 |       directory which resides in your Netscape's program directory.
 |
 |       For example, if you installed your Netscape Navigator in
 |       C:\Netscape, then moz2_0.zip  should be in
 |
 |          C:\Netscape\Program\Java\Classes\Moz2_0.zip
 |
 | For Unix users:
 |
 |    1. Close your Netscape Navigator if it is running currently.
 |    2. Replace the exisiting moz2_0.zip file, which may reside in any
 |       of these directories:
 |
 |           The current directory
 |           /usr/local/netscape/java/classes
 |           /usr/local/lib/netscape
 |           $HOME/.netscape
 |
 +--------------- END INCLUDED Netscape Patch Installation Instructions 
- ----------------


        More information about the vulnerability and the patch can be
        obtained from Netscape at

            http://www.netscape.com/newsref/std/java_security.html.


WORKAROUND SOLUTION TO THE JAVASCRIPT PROBLEM

        Larry Schwimmer of Stanford University has written the following
        "democha" script to disable JavaScript in Netscape 2.0.  This
        script is written in the Perl scripting language (available from
        ftp://nasirc.nasa.gov/toolkits/UNIX/Perl ).


 +--------------- BEGIN INCLUDED Democha Shell Script ----------------
 | #! /bin/sh
 | # @(#) democha version 1.4 7 March 1996 las
 | # democha: disable JavaScript in netscape2.0
 | # Usage: democha [netscape_binary]
 |
 | perl -i.orig -pe '
 |      s/\0script\0/\0\0\0\0\0\0\0\0/g;
 |      s/\ca\&script\ca\&/\ca\&\0\0\0\0\0\0\ca\&/g;
 |      s/(javascript|livescript|mocha):/" " x length($1) . ":"/e;
 |      s/(x-javascript\0.*applets\0)/"\0" x length($1)/e;
 |      s/(\0onsubmit\0.*\0onunload\0)/"\0" x length($1)/e;
 |      s/(\0onunload\0.*\0applets\0)/"\0" x length($1)/e;
 |      if (($a,$b,$c) = /(.*x-javascript\cb)(.*)(\#.*)/) {
 |          $b =~ tr/a-zA-Z/ /;
 |          $_ = "$a$b$c\n";
 |      }
 |      ' "${1-netscape}"
 |
 +--------------- END INCLUDED Democha Shell Script ----------------


        The most current version of "democha" will be available from

            ftp://nasirc.nasa.gov/patches/Netscape/democha.sh

        with a PGP signature of the file at

            ftp://nasirc.nasa.gov/patches/Netscape/democha.sh.asc

        The current version of the script has been tested with Netscape
        2.0 for several variants of UNIX, Macintosh, and Windows (32bit).
        For PC and Macintosh platforms users can copy the Netscape binary
        file to a UNIX machine with Perl, run the script against the
        binary, and return the binary to the PC. This script is not
        guaranteed to disable all JavaScript functionality.  It has
        worked with several JavaScript exploit pages that were available
        at the time.  It may have the side-effect of crashing the browser
        when some JavaScript pages are accessed.

        Note that the "democha" patch does not address the JAVA Applet
        Security Manager vulnerability.  The Netscape Java Applet
        Security Manager patch should be applied in conjunction with this
        patch.


        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                NASIRC ACKNOWLEDGES: Emma Kolstad Antunes of GSFC,
                        Karen Kinsley of LARC, Steven McLaughlin of GSFC,
                        Bruce O'Neel of GSFC, and a myriad contributors
                        to the WWW Security Mailing List
                        (www-security-request@nsmx.rutgers.edu) for
                        providing information, Larry Schwimmer and
                        Stephen Hansen of Stanford University for
                        providing the "democha" script, and AUSCERT for
                        helpful commentary on drafts of this bulletin.
        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IITSYjBqwfc9jEQKl/wCfS3QcnuXzzD4GxQvDUA62owFnbpQAoNc1
d1ELLHjJi+Bu+qEw+JzA1sDI
=ikFI
-----END PGP SIGNATURE-----