[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Netscape Logic Bomb detailed by IETF
Dr. Frederick B. Cohen wrote:
>
> > In message <[email protected]>, Dr. Frederick B. Cohen writes:
> > [...]
> > >I strongly disagree. If Netscape provided a way to execute shell
> > >commands on your host from a remote computer, it would certainly be a
> > >hole created by their product. The fact that the default shell is
> > >potentially dangerous means it's incumbant on those who provide access
> > >to it to provide adequate protection.
> >
> > They do, add:
> >
> > application/x-shell; sh %s
> >
> > to your .mailcap.
> >
> > They had better stop supporting mailcap alltogether, after all *any*
> > of the programs in there could have buffer overflows, or other
> > security problems. I'll bet some of them even do, anyone want to
> > see if sox (a program that transforms sound files from format to
> > format - frequently used to convert .wav files to .au files) has
> > any overruns in the chunk handling code?
>
> This is where the difference between your view and mine seem to part company.
> I am not talking about some bug in postscript or the shell. I am talking about
> a program that grants remote access to run these programs in the normal manner,
> which is unsafe.
>
> To support the position you seem to be taking (and the one currently
> taken by Netscape), you would have to say that the last several Sendmail
> "bugs" were not sendmail problems but rather shell problems because all
> sendmail did was allow you to execute a shell from the remote machine
> (perhaps via a queue file).
The execution of shell commands by sendmail was not approved
by the user. The execution of a shell or postscript interpreter, or
whatever, by netscape must be configured by the user. These are
not the same situation at all.
> > >If Netscape wants to claim their product doesn't degrade security, they
> > >should provide a safe postscript interpreter or not provide hooks to
> > >unsafe ones.
> >
> > Sure, and they had better find a way to keep us from editing the binary
> > and adding whatever insecure features we may want to their program.
>
> That's correct. Secure software has to have secure distribution in
> order to maintain its security when distributed through an untrusted
> channel. I think that Netscape uses an MD5 checksum which the members
> of this list seem to place unlimited trust in (incorrectly in my view,
> but that would be picking two nits with one keyboard entry).
I posted a list of MD5 checksums as a personal favor to various cypherpunks
who asked for them, since I have access to the original bits. The official
Netscape solution for checking your downloaded distribution will be
announced later in the year. In the mean time anyone who is uncomfortable
with downloading the bits from the net can always buy a copy. We will
ship them the distribution on floppy.
Do you have something better than MD5 to suggest? If so, on what do you base this
opinion?
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
[email protected] - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.