RSSSevere Security Flaw Threatens Netscape Users
By Nate Mook and David Worthington | Published April 21, 2001, 9:47 AM
For users of Netscape SmartDownload, the Internet has recently become a very dangerous place.
Security experts have uncovered a flaw in Netscape's SmartDownload application that poses a serious risk even while casually browsing. A malicious image url is enough to make version 1.3 execute code on a victim's system, possibly with full administrator privileges. Netscape posted version 1.4.01 on April 3, an update which corrected the issue, but failed to issue a warning.
The scope of the vulnerability is considerable, as SmartDownload is installed by default with certain versions of Netscape Communicator and comes as an add-on for Internet Explorer and NeoPlanet. Because it adds the ability to pause, resume, and auto-restart downloads, the program is very popular among modem users.
The problem stems from sdph20.dll, a library used by the software, which causes a buffer overflow when accessing URLs longer than 271 characters. A bug in the DLL's URL parsing fuction is to blame. If exploited correctly, the system will end up crashing the browser and executing code placed near the end of the URL. This code can contain instructions to perform any number of operations, including downloading and installing a trojan horse from the Internet.
Most importantly, the parsing function is not only performed on downloads, but every URL - even when SmartDownload is disabled. Image source tags, loaded automatically by the browser, can be used as a launch pad for attack.
Despite fixing the problem early this month, Netscape has not updated their Web site with any information. All pages and documents continue to cite version 1.3 as the newest release, and those running SmartDownload 1.2 will be asked to update to the vulnerable 1.3.
After a recent BugTraq post covered the threat and included an example exploit, Netscape parent company AOL seemed only concerned with tightening internal security. In an urgent e-mail communication Friday to all security staff, AOL Operations Security (OpsSec) demanded "that all vulnerable systems immediately upgrade to Netscape SmartDownload v1.4 *or* completely uninstall/remove SmartDownload v1.3."
AOL internally recommends first checking to see if the Windows system is vulnerable by viewing the properties of sdph20.dll. If the 'Version' tab contains 1.3.x.x, SmartDownload should be upgraded by downloading the latest installer.
Those wishing to view a demonstration may click here. If you are not running version 1.3, you must first install version 1.2 and auto-upgrade to 1.3 by visiting Netscape's download page. This example will not cause harm to your system, merely crash the Web browser.
For more information, read the full security report, initially published by @stake on April 13.
AOL could not be reached for comment by press time and has yet to make an announcement.
It's important to note that "smartdownload" is a browser plug-in that lets users resume downloads. It is separate from "smartupdate," which, AFAIKT, is server based, not client based.
Score: 0
|@stake (not Bugtraq) discovered this vulnerability and was the first to publish a report on it on 4-13-01. We worked with Netscape to get them to fix the problem. It would be nice if your story actually creditted the original researchers and publishers of the information.
The report is at:
http://www.atstake.com/r...ries/2001/a041301-1.txt
Score: 0
|Because your announcement was the foundation for the BugTraq report, I had not included a direct link. The BugTraq comment was referring to AOL taking action internally, I did not intend to infer they were the initial publishers. I apologize and have updated the story.
- Nate
Score: 0
|what do you mean 'Netscape security flaw'? Netscape itself is one big flaw. Why don't you people go to http://www.microsoft.com/windows/ie and download a real web browser.
Score: 0
|I hope the three people who still use Netscape on Windows got a look at this article.
Score: 0
|franticly searching for the fix or already got hacked and their comps are gone lolz.
Score: 0
|yay nutscrape..
Score: 0
|Gee- so nice of Netscape/AOL to keep quiet about this, and not try to help the "loyal users" out there with updates and/or patches. Say what you will about the "evils of microsoft", but at least they try to keep things updated and give info to the users about the problems, and issue fixes.
Score: 0
|I guess IE isn't the only browser getting ****ed? I guess you open source and linux zealots have nothing to say.
Score: 0
|On behalf of the whole world, let me just say "eat 5h1t and die." Have a nice day. :-)
Score: 0
|Why, because a closed-source program from Netscape that's not part of the browser (not all companies require you use every one of their programs to use every other program -- SmartDownload can be used with out having Communicator and vice-versa) that's Windows-only has some security flaw? I don't see what that has to do with open-source and linux zealots at all.
Score: 0
|This does not effect Netscape 6 which just has a standard downloader. Netscape 6 is based on Mozilla, the open source project. I do not see what this has to do with open-source or Linux. Or Netscape 6 for that matter. I think your comment is just made out of pure ignorance.
Score: 0
|