SillyDog701

[J-M]

Secunia company has just released a new advisory related to Netscape 7's PNG image handling. Some (several) vulnerabilities have been reported in Netscape 7.x and Sun's Solaris 9 Update 3 package.

Description:
Some vulnerabilities have been reported in the Netscape browser, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system.

For more information:
SA12219
SA12232

Solution:
Use another product.

Provided and/or discovered by:
Reported in the Netscape browser in an advisory from Sun Microsystems.

An original advisory is available at http://secunia.com/advisories/13291/


- Juha-Matti

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0

[Antony]

This particular vulnerability report (by Secunia) is lack of detail and accuracy in my opinion.

In Secunia's SA12232., They said the libpng vulnerabilities has been fixed in:
* Mozilla 1.7.2
* Firefox 0.9.3
* Thunderbird 0.7.3

So exactly which version of Netscape 7 was this report talking about?

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5.5 (KHTML, like Gecko) Safari/125.11

[J-M]

So exactly which version of Netscape 7 was this report talking about?

According to https://bugzilla.mozilla.org/show_bug.cgi?id=251381#c18 (reference page in SA12232) there is no exact information what happened with this bug when NS7.2 was published. That comment mentioned was written on 28th July.
Secunia's advisory is short and not very informative.

UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

[akbash]

"Netscape 7.x." That is funny. This was fixed last July (after the 28th), in Netscape 7.2, so the last vulnerable NS browser would be 7.1. Just to be certain, maybe someone with 7.2 should go try the bad PNG testcase provided in the Mozilla bug report. It's the last attachment to bug 251381. (Warning: a pre-fix Moz/NS will crash.)

There are probably some exceptions to the rule that NS 7.2 = Moz 1.7.3 but I don't know of any.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041116 Firefox/1.0

[J-M]

"Netscape 7.x." That is funny. This was fixed last July (after the 28th), in Netscape 7.2, so the last vulnerable NS browser would be 7.1.

With Secunia, Netscape 7.x means all 7.x versions and it's a clickable link. When clicking this link 'Netscape 7.x', Secunia's statistics site is showing which Netscape 7.x's issues are patched and which are not.

Lets's try: http://secunia.com/product/85/

In Description text, tested and confirmed versions are mentioned. Now Secunia departed from it's practice. Not a good thing.

"The weakness has been confirmed in Netscape 7.1. Other versions may also be affected."

This is a normal form Secunia is using. It means that all older versions include this vulnerability.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0

[neonrich]

"Netscape 7.x." That is funny. This was fixed last July (after the 28th), in Netscape 7.2, so the last vulnerable NS browser would be 7.1. Just to be certain, maybe someone with 7.2 should go try the bad PNG testcase provided in the Mozilla bug report. It's the last attachment to bug 251381. (Warning: a pre-fix Moz/NS will crash.)

There are probably some exceptions to the rule that NS 7.2 = Moz 1.7.3 but I don't know of any.

My NS7.2 didn't crash. Both it and Firefox 1.0 show:

The image “https://bugzilla.mozilla.org/attachment.cgi?id=155971&action=viewâ€

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

[J-M]

"Netscape 7.x." That is funny.

I founded this: http://www.viruslist.com/en/weblog?weblogid=155760739
Viruslist.com's Analyst's Diary (so-called Kasperky Lab Weblog). It's written on December 03, 2004.
It's referring to SA13291 and it's mentioning of Netscape 7.x. Maybe I'll write a comment there..

Title: Highly critical vulnerability in Netscape 7.x

It's still used by millions of people around the world.

All of them are not using vulnerable versions.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0

[J-M]

Term 'affects Netscape 7.x' was used in the news of course: http://www.eweek.com/print_article2/0,2 ... 191,00.asp
and http://computercops.biz/print-1-90097.html .

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041021 MultiZilla/1.6.4.0b

[Antony]

Term 'affects Netscape 7.x' was used in the news of course: http://www.eweek.com/print_article2/0,2 ... 191,00.asp
and http://computercops.biz/print-1-90097.html .

Time to blame Secunia of not detailing basic information, and/or perhaps exaggerated the "discovery"?

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5.5 (KHTML, like Gecko) Safari/125.12

[J-M]

Time to blame Secunia of not detailing basic information, and/or perhaps exaggerated the "discovery"?

Maybe description text like "No more detailed information is currently available" in advisory sounds better, 'softening' their recommendation to Use another product.
I hope they sacrifice a few extra minutes to write an advisory about Netscape next time. Usually their advisories include reasonable argumentations. I'm not criticizing their know-how.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0