[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New Netscape bug (in version 1.12)

  I just got back from a vacation in Raleigh, and downloaded the
new "fixed" Netscape 1.12. It took me about an hour, but I've
discovered another bug and potential security hole. This one relates
to mailto:.

  The bug is as follows. Create a HTML file with a hyperlink containing
the following URL

<a href="mailto:xxxxxx....(10,000 copies of the letter x)"> foo </a>

This bug doesn't seem to crash Netscape, instead, it crashes my XServer
as soon as the mail window pops op. I'm too tired right now to try to
analyze it, but it might be another stack bug, this time, in the X
libraries because Netscape isn't doing any sanity checking.

I need help testing this bug on other platforms. I have created
a test page. Go to http://www.gl.umbc.edu/~rcromw1/crash.html
to test.

I have also found 2 other bugs that cause stack trashing in v1.1
however, they are random and I haven't been able to isolate them
completely yet. (I have created a page on my system, such that if you
visit it, after you visit about 3 more pages, it crashes)

What's my point in pursuing this? Netscape's browser is a piece of
software that runs on millions of computers and in effect, allows
outside agents to input arbitrary data into that software. As such,
it is unlike most applications made. Sure, Microsoft Word may have bugs,
but how many people are downloading hundreds of MS Word documents
everyday and viewing them? Users of Web browsers are exposing themselves
like this everyday, and so I think, that web browsers must have higher
standards of robustness.

I think Netscape represents an enormous risk to computer security,
and while I think they are heading in the right direction, there are
some very basic implementation issues they need to clear up which are
orthogonal to SSL and credit card transactions. All the cryptography
in the world won't help you if someone can subvert your cryptobox.
Netscape needs to do some serious quality assurance work. I've never
been a QA person in my life, but within a few minutes, I have been
able to find serious bugs in the software. And while I'm sure
Netscape's coders are fine people, proof reading your own code,
code that you look at everyday, becomes rather hard because you
tend to "see through it". (just like proof reading essays, or messages)
I think Netscape should hire some outside firm/group to review their
code under non-disclosure for potential implementation holes.

-Ray Cromwell <[email protected]>
P.S. I am running Netscape v1.12 under BSDI2.0 and the XAccel/2.0 server