|
|
|
Netscape Security News Archive
This page provides details of security issues affecting versions of the Netscape client prior to Netscape 7.0. For the latest security information regarding the Netscape client, visit the Netscape Security Center. If you wish to report a security vulnerability in the Netscape client, please use the Security Bug Report Form.
All issues described on this page have been addressed in the most recent versions of the Netscape client, which is available for download.
XMLHttpRequest Vulnerability
A flaw that could potentially allow a malicious web site to read files stored on a user's computer has been discovered in Netscape 6.1 through 6.2.2 versions of the Netscape browser. There are no known instances of this flaw being exploited. Netscape encourages those using versions 6.1 through 6.2.2 to upgrade to the latest browser version, which is not subject to this potential flaw.
Sun JRE (Java Runtime Environment) Issue
Sun Microsystems has warned users of a potential issue affecting the Sun Java Runtime Environment Bytecode Verifier and has made the remedy available to its Java technology licensees. Netscape is not aware of any instances of this flaw being exploited. Netscape has released the Netscape 6.2.2 browser, which is not subject to this potential vulnerability, and encourages Netscape Communicator users as well as Netscape 6.x users to upgrade to the latest Netscape software at: NETSCAPE.1command.com
Sun JVM (Java Virtual Machine) Issue
Sun Microsystems has warned users of a potential issue affecting the Sun Java Virtual Machine (JVM) and has released a new Sun JVM plug-in, which avoids this issue. Although there are no known instances of this issue ever actually occurring, Netscape encourages Netscape Communicator users as well as users who are running the complete installations (which include the Sun JVM) of Netscape 6.0, 6.01 and 6.1 to upgrade to the latest Netscape software. Netscape 6.2 and above include the Sun JVM plug-in and are not subject to this potential issue.
Cookie Vulnerability
A flaw that could potentially allow a malicious web site to read the cookies that another site has stored on a user's computer has been discovered in Netscape 6 through 6.2 versions of the Netscape browser. There are no known instances of this flaw being exploited. This issue does not affect users of Netscape 6.2.1, nor does it affect users of Netscape Communicator 4.x versions. We encourage those using Netscape versions 6 through 6.2 to upgrade to the latest browser version.
SmartDownload Exploit
A potential exploit was discovered for Netscape SmartDownload version 1.3 in which a buffer overflow could potentially be used to execute malicious code on a user's computer. The potential exploit affects Netscape 4.x or Internet Explorer Browser users with SmartDownload 1.3 installed on their computer. This does not affect users running Netscape 6. Netscape has issued SmartDownload version 1.5 which avoids the potential exploit. Although there are no known instances of this exploit ever actually occurring, upgrading to version 1.5 will ensure that you are not affected. We encourage users to upgrade to the latest Netscape browser version.
The Brown Orifice Vulnerability (August 8, 2000)
This vulnerability has been identified in Netscape Communicator versions 4.0 through 4.74 on Windows, Macintosh and Unix operating systems. This vulnerability does not affect Netscape 6. Netscape has released Netscape 4.76 and Netscape 6 browser versions, which are not subject to this vulnerability. We encourage users to upgrade to the latest Netscape browser version.
eMail Wiretapping Exploit
An exploit that could potentially affect Netscape 6 Mail users has been discovered. This exploit could allow the originator of an email message to include hidden JavaScript code in an attachment so that the originator is copied on all forwarded versions of the message. There are no known instances of this exploit, which does not affect users of Netscape Communicator. This exploit does not affect users of Netscape 6.01. We encourage users to upgrade to the latest Netscape browser version.
JavaScript Cookie Exploit (May 2, 2000)
An exploit was reported for Netscape Communicator 4.72 and earlier in which a hostile site can read the links in a user's bookmark file and some attributes of HTML files if the user's profile name and the Communicator installation directory path are known to the hostile site. This exploit has been fixed in Netscape Communicator 4.73. Users of previous Communicator versions can use any of four techniques to prevent the exploit. We encourage users to upgrade to the latest Netscape browser version.
The Acros-Suencksen SSL Vulnerability
This vulnerability, which could allow a malicious web master to intercept secure data via an SSL connection, has been identified and fixed in both the Personal Security Manager (PSM) for Netscape Communicator and Netscape Communicator version 4.73. Netscape Communicator 4.x users can protect themselves from this vulnerability by installing the most recent version of the Netscape client.
Java Security Vulnerability (March 29, 1999)
Netscape has been alerted to a security vulnerability in the implementation of Java that affects Windows, Mac OS, and UNIX versions of Netscape Communicator and Netscape Navigator 4.0x and higher. It does not appear to affect previous versions of Navigator. For more details, read the update. This vulnerability has since been identified and fixed in Netscape 4.51. We encourage users to upgrade to the latest Netscape browser version.
The Frame-Spoofing Vulnerability (January 7, 1999)
Netscape was alerted to a security vulnerability that affects versions of Netscape Navigator on all available platforms that support the use of frames, including versions 2.0 through 4.5. The bug has been fixed in Communicator 4.51 and we encourage users to upgrade to the latest Netscape browser version. For more details on this vulnerability, read the update.
JavaScript Cache Browsing Bug (October 29, 1998)
Netscape was alerted to a security vulnerability that affects Netscape Navigator 3.04 and 4.07 and Netscape Communicator 4.5. (Note: Mac OS and Unix versions are NOT affected.) The bug has been fixed in the latest version, Communicator 4.51. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
Injection Bug (October 29, 1998)
Netscape was alerted to a privacy vulnerability that affects the Netscape Navigator browser. The Injection bug affects Navigator 3.x and Netscape Communicator 4.0 to 4.07 as well as the two prerelease beta versions of Communicator 4.5 for all platforms. The bug has been fixed in the final released version of Communicator 4.5. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
Java Script Technology in Email (September 18, 1998)
Netscape was recently contacted about the potential for undesired behavior in HTML-based email clients that run JavaScript. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
No-Cache Meta-Tag Bug (October 29, 1998)
This bug, which has been identified and fixed in Netscape Communicator 4.08, represents a behavioral change in how Netscape Navigator handles local memory cache in versions of Netscape Communicator 4.07 to 4.5. It affects only secure web pages and only if multiple people use the same physical desktop PC. It in no way results in lost or stolen data over the Internet. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
MIME Type Buffer Overflow Vulnerability (November 6, 1998)
This bug has been identified and fixed in Netscape Communicator 4.08. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
Brumleve Cache bug (October 6, 1998)
The Brumleve Cache bug has been identified and fixed in Netscape Communicator 4.07. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
Long Filename Mail & ClassLoader Java Vulnerabilities (August 14, 1998)
The Long Filename Mail & ClassLoader Java vulnerabilities have been fixed in Netscape Communicator 4.06. Download the latest version of the Netscape browser to protect against both these potential threats.
Preferences Bug (February 19, 1998)
The Preferences bug has been identified and fixed in Netscape Communicator 4.05. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
French Privacy Bug (September 15, 1997)
The French Privacy bug has been identified and fixed in Netscape Communicator 4.03. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
Santa Barbara Privacy Bug (August 29, 1997)
The Santa Barbara privacy bug has been identified and fixed in Netscape Communicator 4.03. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
Singapore Privacy Bug (July 25, 1997)
The Singapore privacy bug has been fixed in Netscape Communicator 4.03. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
Tracker Bug (August 4, 1997)
The Tracker bug has been fixed in Netscape Navigator 3.03. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
Bell Labs Privacy Bug (July 18, 1997)
The reported Bell Labs privacy bug has been fixed in Netscape Navigator 3.02. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
Danish Privacy Bug (July 9, 1997)
This bug has been identified and fixed in Netscape Navigator 3.02. For more details on this vulnerability, read the update. We encourage users to upgrade to the latest Netscape browser version.
|
|
|
