SillyDog701

[J-M]

Secunia.com classified them to 'Highly critical' in SA12526.

There are some workarounds before new version release something like 7.3 is published. Test results reported to Netscape by their security bug web form.

Results in Windows XP environment

Issue 2: JavaScript Windows clipboard reading
http://bugzilla.mozilla.org/show_bug.cgi?id=257523
Affects to NS7.2.
Workaround: Disable JavaScript from Preferences / Advanced / Scripts & Plug-ins: tick off 'Navigator'
What I use: Not to copy or leave sensitive data (personal information, passwords etc.) to clipboard. Replace clipboard content with insignificant string, for example Start / Run... / notepad (type 'aaa', select Ctrl+A, type Ctrl+C).

Issue 5: non-ASCII characters in a link crashes browser.
http://bugzilla.mozilla.org/show_bug.cgi?id=256316
Affects to NS7.2.
NS Quality Feedback Agent prompts up too.
Workaround: Don't click untrusted links.
Observe the Status Bar, for example text like h t t p://AAAAA
[spaces added to break the link]

Issue 6: extremely wide BMP crashes browser.
http://bugzilla.mozilla.org/show_bug.cgi?id=255067
Be aware! There is working 'exploitable' link including Bugzilla report.

Affects to NS7.2.
Workaround: Don't click untrusted links.

Continuing with issue 7 and the rest ones.

subject slightly changed - Admin, 16.9.2004
un-sticky by Admin 25.9.2004

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 MultiZilla/1.6.4.0b (ax)

[Mandrake]

Then people should not use Netscape 7.2.. there is no 7.21 from Netscape to correct these. Besides, Firefox is faster

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040911 Firefox/0.10

[Ramona]

This is the entire Secunia Security Advisory:

TITLE:
Netscape Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA12535

VERIFY ADVISORY:
http://secunia.com/advisories/12535/

CRITICAL:
Highly critical

IMPACT:
Cross Site Scripting, Manipulation of data, Exposure of sensitive
information, System access

WHERE:
>From remote

SOFTWARE:
Netscape 7.x
http://secunia.com/product/85/

DESCRIPTION:
Multiple vulnerabilities have been reported in Netscape, which can be
exploited by malicious people to conduct cross-site scripting attacks,
access and modify sensitive information, and compromise a user's
system.

The vulnerabilities are related to some recently disclosed issues in
Mozilla:
SA12526

The following vulnerabilities in SA12526 have been confirmed in
Netscape 7.2 for Windows: 1, 2, 3, 5, 6, and 7.

1) Various boundary errors in "nsMsgCompUtils.cpp" can be exploited
to cause heap-based buffer overflows when a specially crafted e-mail
is forwarded.

Successful exploitation can potentially lead to execution of
arbitrary code.

2) Insufficient restrictions on script generated events on text
fields can be exploited to read and write content from and to the
clipboard.

3) Boundary errors in the "writeGroup()" function in "nsVCardObj.cpp"
can be exploited to cause stack-based buffer overflows by sending an
e-mail containing a specially crafted vcard.

Successful exploitation may allow execution of arbitrary code but
requires that the malicious e-mail is opened in preview.

5) A problem with overly long links containing a non-ASCII characters
can be exploited via a malicious website or e-mail to cause a buffer
overflow, which potentially can lead to execution of arbitrary code.

6) An integer overflows when parsing and displaying BMP files can
potentially be exploited to execute arbitrary code by supplying an
overly wide malicious BMP image via a malicious website or in an
e-mail.

7) Mozilla allows dragging links to another window or frame. This can
e.g be exploited by tricking a user on a malicious website to drag a
specially crafted javascript link to another window.

Successful exploitation can cause script code to execute in context
of that window. Further exploitation can in combination with another
unspecified vulnerability lead to execution of arbitrary code.


SOLUTION:
Use another product.

PROVIDED AND/OR DISCOVERED BY:
Two of the vulnerabilities were reported in Netscape by:
Juha-Matti Laurio

OTHER REFERENCES:
SA12526:
http://secunia.com/advisories/12526/

UserAgent: Mozilla/5.0 (Windows; U; Win98; rv:1.7.3) Gecko/20040913 Firefox/0.10

[J-M]

That's the situation. Admin changed the subject (was 1.7.3's issues affecting to Netscape 7.2 too), only solution is to switch to Firefox or Suite before Netscape update. No reply to sent security bug web form yet.
Netscape Security Center (http://wp.netscape.com/security/) needs an update rapidly, at least by locating the newest issues first. People find it from Browser Central and there is no signal from coming 7.2x release.
Thanks Ramona from the quotation, a new Netscape-only advisory ID SA12535.

(Link changed to clickable - Admin 16.9.2004)

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b

[J-M]

So again, Secunia has published own report SA12535:
http://secunia.com/advisories/12535/
It's severity is Highly critical too.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b

[Danny_G]

Secunia.com classified them to 'Highly critical' in SA12526.

Issue 5: non-ASCII characters in a link crashes browser.
http://bugzilla.mozilla.org/show_bug.cgi?id=256316
Affects to NS7.2.
NS Quality Feedback Agent prompts up too.
Workaround: Don't click untrusted links.
Observe the Status Bar, for example text like h t t p://AAAAA
[spaces added to break the link]

I've clicked in the link but nothing happened
My NS 7.2 don't crash

UserAgent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040805 Netscape/7.2

[goGecko]

In my opinion these are minor unexploited security holes that will have absoluetly NO impact on an average user. How many sites exploit these holes? Zero. Now that Mozilla has patched them in the latest trunk, there is no incentive for malicious sites to target the old vulnerabilities. Not to mention that IE has a 100x more unpatched security holes than Netscape 7.2.

The thread's title is also highly ambiguous "Use Another Product." This is vague and confusing to new users. Imagine an Internet Explorer user who just downloaded and setup 7.2 and had an issue with the program. The user found sillydog and read this "sticky." The IE user might then conclude that Netscape is no better than IE since even the forum admin doesn't recommend it and then return to using IE.
needs a new title. A better title would be "Minor Security Vulnerabilities Found in Netscape 7.2" Instead your title tries scaring Netscape users in a pathetic attempt to get them to convert to Firefox.

Back when Netscape 7.1 was used (for almost the entire year since Netscape was shut down), there was no sticky telling Sillydog users to not use Netscape 7. Yet there were numerous known security holes in Netscape 7.1. Why the new standard?

Sillydog 701 also provides an excellent Browser Archive. Yet almost all of the Netscape releases have known security and stability problems. Should Silldyog also start telling users that they should not use the older versions. If so, then why even offer them?

I believe that the end-user should decide how severe security holes are with regards to their individual needs. If you want to educate Netscape users about security, then fine. But don't tell them what to do!

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

[Antony]

Sillydog 701 also provides an excellent Browser Archive. Yet almost all of the Netscape releases have known security and stability problems. Should Silldyog also start telling users that they should not use the older versions. If so, then why even offer them?

SillyDog701 strive to provide comprehensive information and support for Netscape and Mozilla users. SillyDog701 believe warning users on security issue is important. However, suggesting users to use another product or using whatever latest version of product is not SillyDog701's tasks.

I don't think "Use Another Product" is a suitable title.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9

[Danny_G]

I don't think "Use Another Product" is a suitable title.

Yeah.. it seems like a title from a M$ lover
Gecko rules !!!
Linux too !

UserAgent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040805 Netscape/7.2

[goGecko]

I don't think "Use Another Product" is a suitable title.

Yeah.. it seems like a title from a M$ lover
Gecko rules !!!
Linux too !

That was the point of my post. Yet the administrators haven't changed the thread's title yet.....

I didn't start the thread and therefore have no control over the title!

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

[goGecko]

Someone fixed the title. Thanks!

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

[Jeffredo]

Besides, Firefox is faster

Not on my machine.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10

[Ramona]

goGecko,

I added the Use Another Product, because it was included in the Secunia Advisory. I wasn't trying to set any new SillyDog701 standards, and if the "Use Another Product" seemed ambiguous, then perhaps you should address your dislike of the unsuitable verbiage to Secunia. I did not intend the title of the thread to set any new standard, I was merely quoting the Secunity Security Advisory. If you were offended, you should feel better now, as Antony did remove the offense phrase from the title.

Actually there was a statement on the Netscape Browser Archive suggesting that users should not use Netscape 7.1, and should instead download Netscape 7.02: Netscape 7.1 Streamline.

Netscape 7.1 Streamline

News Flash! Windows 98 (all Win9x) users please use Netscape 7.02 instead, there's system resource drainage issue with Windows 98 in NS7.1. You can use Netscape 7.1 Streamline under Windows 98 with this work around.

And no, Danny G, I'm no M$ lover, the way you mean it. I have been in the Netscape Community for quite a few years, and will continue to be, as long as there is a Netscape!

Ramona

UserAgent: Mozilla/5.0 (Windows; U; Win98; rv:1.7.3) Gecko/20040913 Firefox/0.10

[Danny_G]

My apologies. I know your website and find a lot of great
tips and tricks for Netscape. I'm a NS hardcore fan since 1996.
Thanks.
I've always hated IE

UserAgent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040805 Netscape/7.2

[Ramona]

Danny G,

No apology needed, I just wanted to remove any concept here that I am an IE activist in any way, shape, or form.

Ramona

UserAgent: Mozilla/5.0 (Windows; U; Win98; rv:1.7.3) Gecko/20040913 Firefox/0.10