Severe Security Flaw Threatens Netscape Users

For users of Netscape SmartDownload, the Internet has recently become a very dangerous place.

Security experts have uncovered a flaw in Netscape's SmartDownload application that poses a serious risk even while casually browsing. A malicious image url is enough to make version 1.3 execute code on a victim's system, possibly with full administrator privileges. Netscape posted version 1.4.01 on April 3, an update which corrected the issue, but failed to issue a warning.

The scope of the vulnerability is considerable, as SmartDownload is installed by default with certain versions of Netscape Communicator and comes as an add-on for Internet Explorer and NeoPlanet. Because it adds the ability to pause, resume, and auto-restart downloads, the program is very popular among modem users.

The problem stems from sdph20.dll, a library used by the software, which causes a buffer overflow when accessing URLs longer than 271 characters. A bug in the DLL's URL parsing fuction is to blame. If exploited correctly, the system will end up crashing the browser and executing code placed near the end of the URL. This code can contain instructions to perform any number of operations, including downloading and installing a trojan horse from the Internet.


Most importantly, the parsing function is not only performed on downloads, but every URL - even when SmartDownload is disabled. Image source tags, loaded automatically by the browser, can be used as a launch pad for attack.

Despite fixing the problem early this month, Netscape has not updated their Web site with any information. All pages and documents continue to cite version 1.3 as the newest release, and those running SmartDownload 1.2 will be asked to update to the vulnerable 1.3.

After a recent BugTraq post covered the threat and included an example exploit, Netscape parent company AOL seemed only concerned with tightening internal security. In an urgent e-mail communication Friday to all security staff, AOL Operations Security (OpsSec) demanded "that all vulnerable systems immediately upgrade to Netscape SmartDownload v1.4 *or* completely uninstall/remove SmartDownload v1.3."


AOL internally recommends first checking to see if the Windows system is vulnerable by viewing the properties of sdph20.dll. If the 'Version' tab contains 1.3.x.x, SmartDownload should be upgraded by downloading the latest installer.

Those wishing to view a demonstration may click here. If you are not running version 1.3, you must first install version 1.2 and auto-upgrade to 1.3 by visiting Netscape's download page. This example will not cause harm to your system, merely crash the Web browser.

For more information, read the full security report, initially published by @stake on April 13.

AOL could not be reached for comment by press time and has yet to make an announcement.

12 Responses to Severe Security Flaw Threatens Netscape Users

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.