-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== Content-Type: text/plain; charset=us-ascii =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Don Stikvoort Index : S-96-13 Distribution : World Page : 1 Classification: External Version: 1 Subject : Netscape 2.0 Security Risks Date : 11-Mar-96 =============================================================================== By courtesy of NASIRC (the NASA CERT) we received information on vulnerabilities in Netscape 2.0 with regards to the Java and JavaScript programming environments. The Java problem was mentioned in less detail already in S-96-12, the JavaScript problem was not. If you were planning an upgrade to Netscape 2.0 it seems wise to wait at least until 2.01 arrives. If you have pressing reasons to use or install 2.0, please take very good notice of the below recommendations. ============================================================================== NASIRC BULLETIN B-96-11 March 11, 1996 Netscape 2.0 Security Risks =========================================================== NASA Automated Systems Incident Response Capability __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/\ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ Serving NASA and the International Aerospace Communities =========================================================== This bulletin reports a recently announced security vulner- ability. It may contain a workaround or software patch. Bulletins should be considered urgent as vulnera- bility information is likely to be widely known by the time a patch is issued or other solutions are developed. =========================================================== It has been reported to NASIRC that several security vulnerabilities exist in the released version of the Netscape Navigator WWW browser. PROBLEM OVERVIEW The current implementation of the Netscape Navigator (Version 2.0) includes support for two programming environments: Java and JavaScript. The implementation of Java contains a security vulnerability that can be disabled or patched. JavaScript can not be disabled and poses a security risk to systems which access pages containing JavaScript. A workaround patch is provided to disable JavaScript. SYSTEMS AFFECTED Any system running Netscape 2.0 or a Beta version of Netscape 2.0, including UNIX, Windows '95, Windows NT, and Macintosh, are affected. JAVA PROBLEM DESCRIPTION Java is a new programming language from Sun Microsystems. The language is intended to be portable across operating systems (UNIX, DOS, Microsoft Windows, OS/2, etc). Java allows WWW authors to create applets (downloadable applications) that will run on the remote WWW browsers. The Java Applet Security Manager was designed to prevent applets' misuse of the client computer to create security vulnerabilities. However, a vulnerability was discovered in the Netscape implementation of the security manager. A correctly written applet, in combination with information from a subverted DNS server, is able to make connections to an arbitrary host, and exploit any possible vulnerabilities on that arbitrary host. This is particularly serious if that arbitrary host is behind a firewall, and not as secure as it could be, relying on the firewall to protect it. Accessing a WWW page containing such an applets will by-pass the effectiveness of the firewall. Java can be disabled in Netscape Navigator 2.0 clients under the "Options" menu. Netscape has made a patch available to fix the Java Applet Security Manager vulnerability in Netscape 2.0. More details about the Java vulnerability and patch information are available from http://www.netscape.com/newsref/std/java_security.html JAVASCRIPT PROBLEM DESCRIPTION JavaScript is an interpreted language from Netscape that can be embedded in HTML documents. This is another language that causes the WWW browser to execute downloaded programs. JavaScript resembles Java, but lacks Java's strong type checking. JavaScript demonstration 'exploit' scripts have been created which can: o grab the E-mail address of the WWW browser user o monitor the contents of the client cache of pages visited o display a directory listing of any user-accessible disks on the browser's host. Another "exploit" script demonstrates a denial-of-service attack by continuously creating empty windows until the resources of the user's system are depleted. Netscape Navigator 2.0 is not currently equipped with any mechanism to disable JavaScript. A workaround patch is included that will disable most JavaScript functionality in Netscape Navigator 2.0. RECOMMENDED SOLUTION Users should not use any version of Netscape 2.0 or any Beta version of Netscape 2.0 as a WWW browser to visit any untrusted WWW sites. Users and systems administrators should revert their sites to Netscape Version 1.1, or use another WWW browser. Netscape has announced to the press that Netscape Navigator 2.01 will address all known security vulnerabilities in the Java Applet Security Manager and include an option to disable JavaScript execution on the client. WORKAROUND SOLUTION TO THE JAVA VULNERABILITY For those sites that must use Netscape 2.0, a patch exists that addresses the Java vulnerability. Users should be aware that several other vulnerabilities existed in the Beta versions of Netscape 2.0. These Beta versions should be discarded. Applying this patch does not address the JavaScript vulnerability. The patch is available from NASIRC at ftp://nasirc.nasa.gov/patches/Netscape/moz2_0.zip Users should be sure to download the file in binary mode. A PGP signature of the patch file can be obtained from ftp://nasirc.nasa.gov/patches/Netscape/moz2_0.zip.asc +--------------- BEGIN INCLUDED Netscape Patch Installation Instructions - ---------------- | | INSTALLATION INSTRUCTIONS FOR JAVA APPLET SECURITY MANAGER PATCH | | After downloading the patch, follow these installation instructions: | | For PC users: | | 1. Close your Netscape Navigator if it is running currently. | 2. Replace the existing moz2_0.zip file in your Java classes | directory which resides in your Netscape's program directory. | | For example, if you installed your Netscape Navigator in | C:\Netscape, then moz2_0.zip should be in | | C:\Netscape\Program\Java\Classes\Moz2_0.zip | | For Unix users: | | 1. Close your Netscape Navigator if it is running currently. | 2. Replace the exisiting moz2_0.zip file, which may reside in any | of these directories: | | The current directory | /usr/local/netscape/java/classes | /usr/local/lib/netscape | $HOME/.netscape | +--------------- END INCLUDED Netscape Patch Installation Instructions - ---------------- More information about the vulnerability and the patch can be obtained from Netscape at http://www.netscape.com/newsref/std/java_security.html. WORKAROUND SOLUTION TO THE JAVASCRIPT PROBLEM Larry Schwimmer of Stanford University has written the following "democha" script to disable JavaScript in Netscape 2.0. This script is written in the Perl scripting language (available from ftp://nasirc.nasa.gov/toolkits/UNIX/Perl ). +--------------- BEGIN INCLUDED Democha Shell Script ---------------- | #! /bin/sh | # @(#) democha version 1.4 7 March 1996 las | # democha: disable JavaScript in netscape2.0 | # Usage: democha [netscape_binary] | | perl -i.orig -pe ' | s/\0script\0/\0\0\0\0\0\0\0\0/g; | s/\ca\&script\ca\&/\ca\&\0\0\0\0\0\0\ca\&/g; | s/(javascript|livescript|mocha):/" " x length($1) . ":"/e; | s/(x-javascript\0.*applets\0)/"\0" x length($1)/e; | s/(\0onsubmit\0.*\0onunload\0)/"\0" x length($1)/e; | s/(\0onunload\0.*\0applets\0)/"\0" x length($1)/e; | if (($a,$b,$c) = /(.*x-javascript\cb)(.*)(\#.*)/) { | $b =~ tr/a-zA-Z/ /; | $_ = "$a$b$c\n"; | } | ' "${1-netscape}" | +--------------- END INCLUDED Democha Shell Script ---------------- The most current version of "democha" will be available from ftp://nasirc.nasa.gov/patches/Netscape/democha.sh with a PGP signature of the file at ftp://nasirc.nasa.gov/patches/Netscape/democha.sh.asc The current version of the script has been tested with Netscape 2.0 for several variants of UNIX, Macintosh, and Windows (32bit). For PC and Macintosh platforms users can copy the Netscape binary file to a UNIX machine with Perl, run the script against the binary, and return the binary to the PC. This script is not guaranteed to disable all JavaScript functionality. It has worked with several JavaScript exploit pages that were available at the time. It may have the side-effect of crashing the browser when some JavaScript pages are accessed. Note that the "democha" patch does not address the JAVA Applet Security Manager vulnerability. The Netscape Java Applet Security Manager patch should be applied in conjunction with this patch. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- NASIRC ACKNOWLEDGES: Emma Kolstad Antunes of GSFC, Karen Kinsley of LARC, Steven McLaughlin of GSFC, Bruce O'Neel of GSFC, and a myriad contributors to the WWW Security Mailing List (www-security-request@nsmx.rutgers.edu) for providing information, Larry Schwimmer and Stephen Hansen of Stanford University for providing the "democha" script, and AUSCERT for helpful commentary on drafts of this bulletin. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6IITSYjBqwfc9jEQKl/wCfS3QcnuXzzD4GxQvDUA62owFnbpQAoNc1 d1ELLHjJi+Bu+qEw+JzA1sDI =ikFI -----END PGP SIGNATURE-----