A malicious attacker could take advantage of several unpatched security holes in Netscape to launch arbitrary code, cause cross-site scripting attacks or access and modify sensitive data, according to IT security firm Secunia.
The Copenhagen, Denmark-based company said in an advisory
"These Netscape/Mozilla vulnerabilities are serious in the sense that they could be used to execute arbitrary code on the user's system," Johannes Ullrich, chief technical officer of the SANS Internet Storm Center in Bethesda, Md., said by e-mail. "Like all browser vulnerabilities, they do require the user to visit a malicious page. However, we have seen in the past (e.g. download.ject) that users can be tricked to visit malicious pages or that the malicious code may be placed on trusted Web servers."
Of the vulnerabilities reported in Mozilla, the following have also been confirmed in Netscape 7.2 for Windows:
- Various boundary errors in "nsMsgCompUtils.cpp," which can be used to cause heap-based buffer overflows when a specially crafted e-mail is forwarded.
- Insufficient restrictions on script-generated events on text fields, which can be exploited to read and write content from and to the clipboard.
- Boundary errors in the "writeGroup()" function in "nsVCardObj.cpp," which can be used to cause stack-based buffer overflows by sending an e-mail containing a specially crafted vcard.
- A problem with overly long links containing non-ASCII characters, which can be exploited via a malicious Web site or e-mail to cause a buffer overflow and could potentially lead to arbitrary code execution.
- Integer overflows when parsing and displaying .bmp files, which an attacker could potentially use to launch arbitrary code by supplying an overly wide malicious .bmp image via a malicious Web site or in an e-mail.
Thomas Kristensen, Secunia's chief technology officer, said in an e-mail that his firm received a report early Wednesday that Netscape was affected by two of the Mozilla issues. "One of our security specialists then tested the issues and could confirm that it was also affected by some of the other issues," he said. "The person reporting the issues to us has contacted the vendor. Because Netscape is based on Mozilla code the vendor should already be aware of these issues. We therefore expect a new version of Netscape shortly."
America Online Inc., which owns Netscape, did not immediately return a call for comment.
As a workaround, Ullrich said the "default user" should be as restricted as possible. "This will limit the impact of any browser/client vulnerability," Ullrich said. He added, "While a personal firewall is unlikely to block execution of this code, it can be used to limit damage and to alert the user of any malware that may attempt to 'call home.' Virus checkers had some limited success in alerting users about download.ject, and they may detect malware installed via this vulnerability."