SillyDog701

[Antony]

Okay, I removed the "User another product" from the subject, and added "Highly critical" to the description.

Somehow, I only believe the issue 2 is really serious. However, I don't know if there's any way that the data from clipboard can be passed back to any server easily without any interaction from users, according my my knowledge in networking and internet.

Since early days of scripting, it is possible to use scripts to send certain content to users' clipboard, however, this requires some users' interaction.

2) Insufficient restrictions on script generated events on text
fields can be exploited to read and write content from and to the
clipboard.

If I were the Secunia, I would suggest users to turn off JavaScript instead of use another product.

As for crashing browser due to non-ASCII characters or wide BMP file, I would personally consider that as a bug of the browser.

Ramona was kindly informing all user about the situation of this issue.
As for message/warning in Netscape Browser Archive pages, I will try to have better understanding first.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9

[Danny_G]

I've made this browser security test
http://bcheck.scanit.be/bcheck/
Browser name: Netscape
Version: 7.2
Platform: Linux i686

The results:

Browser Security Test Results

Dear Customer,

The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

Cool ! Do you know another Browser test page ?

UserAgent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040805 Netscape/7.2

[J-M]

Secunia.com classified them to 'Highly critical' in SA12526.

Workaround: Don't click untrusted links.
Observe the Status Bar, for example text like h t t p://AAAAA
[spaces added to break the link]

I've clicked in the link but nothing happened
My NS 7.2 don't crash

Sample link is shortened deliberately.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

[J-M]

Okay, I removed the "User another product" from the subject, and added "Highly critical" to the description.

Somehow, I only believe the issue 2 is really serious. However, I don't know if there's any way that the data from clipboard can be passed back to any server easily without any interaction from users, according my my knowledge in networking and internet.

Since early days of scripting, it is possible to use scripts to send certain content to users' clipboard, however, this requires some users' interaction.

2) Insufficient restrictions on script generated events on text
fields can be exploited to read and write content from and to the
clipboard.

If I were the Secunia, I would suggest users to turn off JavaScript instead of use another product.

As for crashing browser due to non-ASCII characters or wide BMP file, I would personally consider that as a bug of the browser.

Ramona was kindly informing all user about the situation of this issue.
As for message/warning in Netscape Browser Archive pages, I will try to have better understanding first.

Hello all!
My original subject was "Security Vulnerabilities in Mozilla 1.7.3 affecting to Netscape 7.2 too". Antony can check an exact format from his mailbox, because I filled a feedback form too, but printed version of form is at home:-(
Secunia get test result and my suggestion:
"Disable JavaScript in Netscape 7.x.
Remove menu selection Edit / Preferences... / Advanced / Scripts & Plugins / Enable JavaScript for: Navigator
Suggestion to Suite/FF/NS7 issues was:
Don't leave sensitive data (personal information, passwords etc.) to Windows clipboard. Replace clipboard content with insignificant string, for example Start / Run... / notepad (type 'aaa', select Ctrl+A, type Ctrl+C).
Additional instructions were (and are):
Do not follow links from untrusted sites.
Check Status Bar text before selecting a link."

But the POINT (sorry for Caps) was to be careful, if Netscape 7.2 is the only browser for example in company environment.
At home or with admin rights you can always download another 'lizard' or use for example Mozilla installed before to an alternative browser.
And, there must be a channel to inform users about Netscape 7.2x's publishing timetable.
This is in fact very wide question, now when companies are switched to those browsers, what is a great thing, all informative information available rapidly is important.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

[Mandrake]

I think that users should be encouraged to use another product. The lastest version is necessary, as it fixes highly critical security vunerabilities. Telling me it's safe to keep using Netscape 7.2 is like telling people not to bother installing security patches for their OS, which is a very stupid thing to say.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040911 Firefox/0.10

[Antony]

"Disable JavaScript in Netscape 7.x.
Remove menu selection Edit / Preferences... / Advanced / Scripts & Plugins / Enable JavaScript for: Navigator
Suggestion to Suite/FF/NS7 issues was:
Don't leave sensitive data (personal information, passwords etc.) to Windows clipboard. Replace clipboard content with insignificant string, for example Start / Run... / notepad (type 'aaa', select Ctrl+A, type Ctrl+C).
Additional instructions were (and are):
Do not follow links from untrusted sites.
Check Status Bar text before selecting a link.

Scripts can read clipboard content is nothing new.
If scripts can read clipboard content and sends back to website without users' knowledge, then that's serious.
Are there any proves that scripts can be executed under Netscape 7.2 and reads contents from clipboard and sends back to any server without user's knowledge?

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9

[J-M]

If scripts can read clipboard content and sends back to website without users' knowledge, then that's serious.
Are there any proves that scripts can be executed under Netscape 7.2 and reads contents from clipboard and sends back to any server without user's knowledge?

There is Qualys Browser Checkup http://browsercheck.qualys.com/index.php but it works only with IE. The second part 'Clipboard Reading Hack' can read clipboard content. Server can't read the content, can anyone correct if I'm wrong.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

[Antony]

Server can't read the content,

If the server can't read the content, there's no point to make this "highly critical"

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9

[J-M]

Server can't read the content,

If the server can't read the content, there's no point to make this "highly critical"

After researching more and according to US-CERT Vulnerability Note http://www.kb.cert.org/vuls/id/460528 it is possible. Here is several workarounds,when using different browser isn't possible:

1. Don't leave sensitive data (personal information, passwords etc.) to Windows clipboard at all. Replace clipboard content with insignificant string, for example Start / Run... / notepad (type 'aaa', select Ctrl+A, type Ctrl+C). In older versions function is Select All from Edit Menu.
2. Check Windows clipboard content by method below:
Start / Run... / c:\Windows\System32\clipbrd.exe
(this opens Windows ClipBook Viewer in XP) or by Windows Explorer.
Empty Windows clipboard by selecting Edit / Delete. Confirm operation with Yes.
Older Windows versions include Clipboard Viewer in Start Menu / Programs / Accessories.
Workarounds informed to several vulnerability databases, but all of them doesn't handle cases (of course they read e-mail) by weekends.
I checked Qualys test page mentioned before with User Agent Switcher Extension v0.6 from update.mozilla.org, works in Netscape 7.2 according to two-minute testings. The Test Page starts, but Button 'Read Clipboard' doesn't work. IE-only functionality, I guess.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b

[Antony]

Server can't read the content,

If the server can't read the content, there's no point to make this "highly critical"

After researching more and according to US-CERT Vulnerability Note http://www.kb.cert.org/vuls/id/460528 it is possible. Here is several workarounds,when using different browser isn't possible:

Thanks Juha-Matti.

II. Impact
By convincing a victim to view a malicious web page, a remote, unauthenticated attacker could perform read/write operations to the victim's clipboard. Since users may copy/paste usernames, passwords, or potentially other sensitive information to the clipboard, the attacker could gain access to this information.

I still don't know if content from users' clipboard can be passed to any remote server. I will need to check Danny Goodman's JavaScript Bible.

Well, I tested the clipboard read and clipboard write given in http://bugzilla.mozilla.org/show_bug.cgi?id=257523
It is affected in Windows version of Netscape 7.2, NOT affected in Mac version of Netscape 7.2.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9

[netscpuser]

And, there must be a channel to inform users about Netscape 7.2x's publishing timetable.
This is in fact very wide question, now when companies are switched to those browsers, what is a great thing, all informative information available rapidly is important.

I'm sure a big company like AOL will not let its flagship products languish and die, and for that reason i'm optimistic that 7.2.1 will be released soon and wil include security fixes. Big companies usually make big announcements when they intend launch or discontinue their products. In fact, I'm optimistic that there will be another major version of netscape browser as a next generation browser, given that Netscape has been around for 10 years and there's no sign of it being abandoned. However, timetable is another matter that bears little weight on a free product.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

[Jeffredo]

This will be the big test to see if AOL/Netscape are truely serious about getting back into the browser game. It would be very heartening to see them actually issue security fixes quickly instead on letting them slide for months as they did with 7.1. To be honest, I'm not very optimistic!

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

[DJGM]

I'm sure a big company like AOL will not let its flagship products languish and die . . .

I don't think AOL have ever considered Netscape to be one of their flagship brands, even though
they've publically proclaimed Netscape to be an important asset for AOL. Up until last summer,
the beancounters at AOL (and Time Warner) were more than happy to allow the Netscape
brand name to languish, right up to point when they "killed" it in mid July 2003.

. . . and for that reason i'm optimistic that 7.2.1 will
be released soon and wil include security fixes . . .

Nothing wrong with being optimistic, but not many people round here share your optimistism on
the future of Netscape as a maker of internet browser software. I'm sitting on the fence on this
one, since I don't know if AOL intends to continue with Netscape browser development or not.

Big companies usually make big announcements when
they intend to launch or discontinue their products . . .

AOL made no announcements when they "discontinued" Netscape browser development last year.
But they did make a few announcements, when they reprised Netscape's role as a browser maker.

In fact, I'm optimistic that there will be another major version of netscape
browser as a next generation browser, given that Netscape has been
around for 10 years and there's no sign of it being abandoned.

Netscape hasn't yet reached it's official 10th anniversary yet. When Netscape does reach that mile-
stone in November, will there be any big celebrations or parties at AOL's ivory towers? I think not.

However, timetable is another matter that bears little weight on a free product.

Whatever kind of timetable AOL has for Netscape, they'll being staying very tight lipped about it . . .

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 - DJGM.co.uk (ax)

[J-M]

This will be the big test to see if AOL/Netscape are truely serious about getting back into the browser game. It would be very heartening to see them actually issue security fixes quickly instead on letting them slide for months as they did with 7.1. To be honest, I'm not very optimistic!

A new Security Advisory section like http://www.mozilla.org/projects/securit ... ities.html should be a good beginning. Instructions like "Workaround: Disable images" with exact menu selections and severity classifications are usefull both to IT personel and end users. It's possible that in some companies using IE was prevented by proxy settings and browser from Mozilla family, for example Netscape 7.2, is a main application (this is real life example, can't to refer names of course) used.
But releasing 7.2.1 as soon as possible is a main task to AOL now. Opinions?

[I'm sorry with my IE5 user agent, not own machine ]

UserAgent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

[netscpuser]

AOL made no announcements when they "discontinued" Netscape browser development last year.

That means they never "discontinued" the product
In hindsight, they must have been thinking of a bigger business strategy, i.e., how to leverage their product that has the name recognition and loyal user base as a vehicle to generate revenue. Hence Netscape ISP, and the portal. These other two businesses need the continuity of the browser as the lever. And they're not going away any time soon as long as they're profitable.

[/quote]

Netscape hasn't yet reached it's official 10th anniversary yet. When Netscape does reach that mile-
stone in November, will there be any big celebrations or parties at AOL's ivory towers? I think not.

Maybe not at the ivory towers, but certainly a 10 year milestone is not something to sneeze at in the web world.

Whatever kind of timetable AOL has for Netscape, they'll being staying very tight lipped about it . . .

I think we both agree on that one

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)