Slashdot Mirror
Java Security Hole Makes Netscape Into Web Server
Baldrson and other folks as well write: "Dan Brumleve is at it again with Brown Orifice. In this episode, our fearless grey hat opens a security hole in the Web's foundation that makes Napster look positively tame by comparison. Be careful with this, kids. It turns your Netscape Web browser into a Web server that can serve up your entire file system to any other Web browser."
He saw KPCB's investment in Netscape going down the shitter and orchestrated the purchased through the leverage his firm had with AOL, another KPCB-sponsored firm.
This happens all the time - how the hell do you think a retarded merger like Excite/AtHome ever got off the ground???
Not a troll... just a statement of my observations... I resisted switching to IE for a few years, but I got fed up with all the countless bugs and resource/memory leaks (which were NEVER fixed, even after I properly reported reproducable bugs).
Now this. Netscape's browser was merely a platform to sell Netscape's server software. They only complained about IE when M$ started giving away IIS with NT - and then got really loud when IE surpassed Communicator in features and support (that's right... M$ might have had a few security leaks to fix, but they usually responded swiftly). Netscape often gets a lot less scrutiny compared to M$' browser, too, I might add.
Netscape sucks. A one hit wonder that now ranks below M$ and others in browser and server software.
Please - explain this procedure.
---
Slashdot: News For Zealots. Stuff That's Hypocritical.
That doesn't work for me. It says "connection refused" on my Linux box. I believe the script is only listening on my ethernet interface. If I put the IP address of my ethernet interface there, it answers, but then redirects me to the address of my firewall. So, I have to actually change the address that the script thinks it's listening on before it works.
--Joe--
Program Intellivision!
Guess my university's annoying firewall preventing connects to the dorms from outside the dorms finally came in handy. 129.49.239.210. All you can do is ping it.
The web server exploit does not rely on Netscape-specific classes. There are two exploits.
Seastead this.
The Mongrel Dogs Who Teach
2. Make said email client be able to access multiple accounts from the same instance of the client.
This is exactly what Mozilla is doing - you should try M17 which is about to come out in a couple of days.
How well do these stand up under load, and should /. replace Apache? :)
Seriously, I think the biggest issue will be a non-interactive thing that can be emailed to anyone, instead of this consent-to-opening-form thing. Because netscape is only open for a short time, a real proper exploit would have to make an outbound connection to a preset IP to "check-in" that it's available.
--
In point of fact, something of this nature has occured as previously documented by Dan. It may not be Christian for Dan to fail to endlessly forgive transgressions and abuses of his trust, but then I thought business was about reciprocal altruism, not simply continuing to do favors for those who demonstrate a track record of abusing your trust.
If the force of law is to apply here, would it not make sense to prosecute the responsible parties at CERT, or wherever, if they abuse the professional courtesy extended them by people from around the world (not just in the United States) since, having been granted a unique position of public trust and authority, the abuse of said public trust and authority (for example, failing to respond as their name "emergency response" would suggest) subjects the global public to far greater dangers than a "premature" disclosure by one grey hat?
The grey hats of the world do not exist for the convenience of flabby and possibly corrupt bureaucrats -- nor should the web users of the world have to wait for the flabby and possibly corrupt bureaucrats to possibly notify their corrupt cronies of exploits so that maximum criminal profits may be extracted, whether through plagerism or direct criminal activity.
Oh, but there I go being paranoid about the government again. ;-)
Seastead this.
Yes, /etc/inetd.conf is the place to disable daemons, but /etc/services is where you go to disable data transfer over a specifc port. Like, for instance, if you disable the syslogd port, syslogd won't work, etc... And trust me, I have tried this, and I recommend that others do so as well, as this is a means of securing a box (though nothing beats a wall of fire)
Know ye not that ye are Gods???
Comment removed based on user account deletion
On average, I have Netscape crash about once a day (Win98). I rarely use IE, but that too, crashes about as regularly. I haven't upgraded yet, but a good SysAdmin friend of mine advised me that IE V5.5 is even more unstable, and had huge problems with it when he upgraded his work systems. Can't verify that, haven't used it yet. The only problem I have with Netscape is that often when it crashes, I cannot close the "Netscape has performed an illegal operation...etc... close/details" box, it just reappears every time. Ctrl/alt/del no longer functions after that, nor does the computer shut down properly. Anyone else have this problem? IE occationaly does that to me after crashes, but usually the box closes properly.
--I assume full responsibility for my actions, except the ones that are someone else's fault.
Just some more corroborating evidence that AOL doesn't care about Navigator.
cpeterso
> You need to read Risks if you:
(*) Want a good laugh now and then... comp.risk can be a very funny at times....
The demo that everyone's looking at won't work through a firewall because it's deliberately non-malicious. The scary part (for me) is that the Java applet has access to the file system, and I cannot see how a firewall can help if someone decides on a more malicious attack.
Instead of setting up an HTTP server, the applet could simply open an HTTP connection to the original server and start posting files from your hard drive. Applets are allowed to open connections back to the original host.
This is why client-software vulnerabilities are so scary -- the client software usually has the same privileges as you do.
You don't need to rely on Netscape specific classes to make it a Netscape implementation problem.
The real implementation problem is that Netscape have let their Java implementation wither on the
vine.
"You know you want me baby!" - Crow T Robot
Every day I raise up thanks for ipchains(8):
ipchains -A input -l -y -j REJECT
Quick responses to a bunch of people, in no particular order:
plunge (cosym@yahoo.com) wrote:
> That's them creating the most important incentive for the
> future of all: the incentive to try to actually produce
> something superior to everything else. Sorry, but that's
> what counts in the end, and that's where things will end
> up when all is said and done.
gargle wrote:
> You're damn right. I'm voting with every click - voting in
> support of a superior product.
Denial of Service wrote:
> I hope you enjoy playing politician while the vast majority
> make choices based upon quality of product.
(1) A lot of techies don't like to believe this, but you are
essentially stuck living in a political world. You're
deluding yourself if you think you can live your life making
"technical" decisions without any political aspect.
(2) Luckily for my side this particular voting process has
proportional representation built-in, so I don't need "the
vast majority". No sane business throws away even 10% of
it's potential market if it can avoid it, so a 90-10 split
between Microsoft and everyone else still leaves room for
standards to win out. At some point -- somewhere above 95%
market share is my guess -- there will be no practical
argument left to shoot down a designer that's itchy to play
with some new toy MS put in the latest IE, and there will be
no pressure left towards standards compliance.
(3) Netscape has far from a perfect record about standards
compliance, but it doesn't matter for this argument, since
I'm not telling you to use Netscape. Lynx, opera, mozilla,
xemacs, whatever. The point is to discourage reliance on
any one single company's proprietary technology (e.g. a
site based on macromedia flash isn't any better than an
IE-only site).
(4) It would be nice to believe that everything boils down
to simple free-market economics, but I've (reluctantly)
become convinced that in the real world, there is no single
simple set of principles that applies universally.
In this particular case, I'm arguing that your conception of
"a quality product" is shallow and short-sighted. When you
buy into a technology, you're getting more than a product,
you're also looking for "services", which means you have to
look to the future and think about everyone's long-term
incentives (as well as look to the past, and think about the
history of the groups involved). In this case, I'm arguing
that the future upgrades you're going to recieve, and the
kind of web you're going to have to deal with will be
compromised by what you're buying into in the present.
Beware of Microsoft bearing gifts. What's hard to
understand about this?
I'm guessing it effects Communicator completely in General... and does this mean it's resident in Mozilla too?
Who's the black private dick, who's a sex machine for all the chicks?
I suppose this works on outgoing connections to; youd could connect to servers other than the one that served up the class file. Anybody try it yet?
This [Client-Client Sharing] could be the Netscape killer app. A killer app to revive the original killer app!
Granted, the brown office server source code could be modified to make all of the files on your computer publically accessable but the "bug" can be potentially useful as well. Well, obviously, it can be a free webserver and ftp server while taking up little more space than netscape itself. I wonder how many other bloatware applications can be exploited to do productive things? Or, how many other uses are there for Netscape? How many different language interpreters does it have? Java, Javascript, HTML, soon XML... Add to that its ability to use plugins, its ability to generate user intefaces on the fly, its internet connectivity, and you have a very rich set of resources to hack into other applications. Still, this is a bug and it can be exploited...
?/o
- Each bookmark is stored as a separate file. This means that I cannot have a bookmark with a colon in it, and I cannot manage them easily -- no sorting, no nice tree dialog like in Netscape. Opera is somewhat better in this area, but I still like Netscape's approach the most.
- Virtually no control over cookies. Accept, deny, confirm. That's about it. At least Netscape lets me deny cookies from another server.
- The history interface sucks. Again, every item is stored as a separate file. There is virtually no provision for sorting. Netscape rules this area.
- Crappy Find dialog. No "Find Next" command without first opening the Find dialog and keeping it open. F3 illogically opens the search-for-files dialog. So much for browser and file manager integration...
Hmm... I've been meaning to put this into some kind of comparison table for a while. Maybe this will get me started.--
There's little relationship between security notfications for IE at microsoft.com, and netscape.com
netscape.com is another goddam portal.
What are you doing even bothering with it?
Try finding a new home page. It's really quite simple. I would suggest /.
t_t_b
--
I think not; therefore I ain't®
I'm on PJ's "enemies" list! Are you?
Jeesh, I just went through the trouble to install 4.74; pesky executable jpegs. Boy, this makes me want IE through wine, even though I know ceding the browser market to Microsoft will result in ceding the server market.
Somewhere people are betting over which finishes first: Mozilla 1.0 release, or wine progressing well enough to run IE reliably.
Shit! This is not the sort of gamble any serious Freenix or UNIX user would want to take....
Can you explain in laymans terms how to compile Mozilla without all the debug stuff in it? It is unusably slow in the form it is presently distributed in...
Actually, if your computer has oomph, Mozilla prereleases are getting pretty good. I'd also recommend Galeon - Gecko rendering engine with a minimalistic user interface.
Stop the brainwash
Whether the sploit works or not, they did leave their IP's up for everyone to see.
Correct me if I'm wrong (I'm sure you will), but Java is the only REAL language that has the capability to safely run untrusted applications. Unfortunately, its not perfect, and exploitable security holes do happen. Like in Linux. Or in Windows. Yes, this hole sucks. So did WinNuke. So does the BIND-exploit-of-the-week.
So attention to all the trolling AC's... If you're going to use this to say "Java Sucks!", please include an alternate method of running untrusted software on your local computer!
...not once has Java crashed on me unless I wrote some bad code
Funny - I was going to say the same about my C++...
Proabily a troll (or, at least, someone who's greatly misinformed) but...
No, HTML mail will not do this, the exploit uses a specially written java applet to take advantage of a hole in netscape's java implemtation.
You should be running a firewall, anyways. Basicly, unless you're running servers that you want to be accessable over the internet, you should have your firewall set up to block inbound connections (that is, connections from the internet to your network) with the exception of connections that you need to be open for something to work.
If you're concerned about this exploit, you may want to turn off java in netscape untill they release a fix. Netscape's java implementation is quite buggy, anyways, if you want or need java in netscape, look at the java plugin aviabile at The Blackdown Project.
As a precaution, you may also want to turn off javascript in mail and news, but keep in mind that javascript is not the same thing as java, the two are entirly diffrent.
I still prefer Netscape to IE: with IE, the lack of security is designed in from the ground up (ActiveX etc.). Netscape at least is based on technologies that can be made secure.
For the time being, you just have to turn off Java and JavaScript.
It might also be worth looking at other ways of removing privileges from a running Netscape. Linux chroot, capabilities, various group hacks, LD_PRELOAD, and ptrace, could all be used to detect and prevent undesirable behavior.
Hehehe. Unless of course, you consider using a firewall and ssh port forwarding. :)
ipfw allow tcp from 12.34.56.78 to $oif 23 setup
ipfw deny tcp from any to $oif 8080 setup
And of course, private ip's on the inside of either firewall can get easy access to your files. :)
---
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Comment removed based on user account deletion
--- Never hold a dustbuster and a cat at the same time ---
Setting his threshold to 5, Sparky eliminated most of the trolls on /.
Any volunteers to write an adserver plugin for this? If we're gonna get 0wn3d we may as well make some money, right? :)
I guess that just means I'll have to run Netscape in a chroot environment, like I do apache.
Try doing that on windows...
Duct tape + WD40 => DevOps
I dunno, I'm pretty fond of the IE bug that makes the contents of all IE's cookies public information. Imagine.. If I log into my online bank with IE, and go to a website with a banner ad that has a little handy JavaScript, doubleclick.net knows my account number.
I suppose, then, that you don't live off of royalties from IP you've created? It's a lot easier to denounce IP rights when you are not putting food on the table with the money made from IP...
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
We all know why IE renders faster: it doesn't check for valid HTML in tables.
As for nicer looking docs: your opinion is subjective -- and you're more than entitled to it. But I see no objective reason to say that IE is any better at rendering HTML than NN is.
I have a Windows box so I can check my web sites in IE while developing and I make sure that pages look the same on all browsers ... they all render the same to me (except for NN for Linux, of course -- damn Motif).
great! i'll email my boss to tell them we dont need that fancy shmansy netscape webserver anymore! it's bundled with communicator
and you people mocked netscape. shows you all.
and i guess with mozilla, they'll be able to completely take over my computer, seeing how it will be an entire platform for doing everything...
shaolin punk, activist post-industrial
Last time I checked, Netscape and Mozilla do not offer to modify your partitions. When IE4 Preview came out, a person I knew was running Win95a, and it asked him if he wanted "Large Disk Support". He said yes.
I can only assume this was a beta of thier Fat16->Fat32 converter, because when I got the call that his computer crashed, I found 2 non-DOS partitions that were not recoverable.
Reboot, Reformat, Reinstall.
Lars -
Online Services? You don't need to worry about that if you had 98lite
Rangers Lead the Way!
Perhaps the reason AOL doesn't care about Netscape is because Netscape sucks. Hard. It's difficult to convince people to use your service when the browser you offer them sucks. Hard.
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
Damn good thing I almost never turn on Java. In fact, I usually browse with JavaScript off as well and only turn it on when I actually need to.
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
Netscape actually planned to make money from the browser sales.
Why do you think "free IE" was such a problem for them? Why do you think they had to sell out to AOL?
Sorry, but that is incredibly short-sighted. I'm an anti-Microsoft fundamentalist. I don't have any Microsoft products on my machine. But I have to admit that at this moment IE is a better, more stable, more standards-compliant, easier to use browser than anything we've currently got on Linux (except possibly Konqueror, which I hope to try soon). Mozilla M16 is almost as good, but not nearly stable enough.
It's a bad mistake when you're so blinded by your dislike of the opposition that you can't recognise where they actually are doing better stuff than we are.
I'm old enough to remember when discussions on Slashdot were well informed.
He described this as a behavior of the netscape provided classes. Again, this is likely a case of trusted classes being too helpfull, not of a total jvm sandbox model breakdown. Is the netscape JVM source available?
Wasn't Netscape the same browser that fell apart and crashed a few years ago when the HTML wasn't formatted (just right)?
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
This doesn't seem to work on the Mac OS. I put a temporary folder up (called Temp if anyone is looking through the list:) and I get a socket exception: unknown error and then a nullpointer exception. I think it's a pretty nifty hack, but I wonder if the mac version of Netscape (4.74 communicator) is vulnerable. Anyone get it to work on Mac?
If its any consolation,
Typical java apps tend to have memory leaks or otherwise cause eventual reboots of the os when used with IE.
Is anybody (more or less involved with IT) really suprised by this?
There must be a lot more exploits waiting to be discovered, and it is about time that people start looking for exploits in other places than MS software. It is only a matter of time before the MS marketing people will find a way to leverage the constant finding/fixing issues in MS products versus the lack of any searching for holes in Open Source products.
MS makes great software. If you want a share of the marketplace, then compete by producing better software. Stop whining. In the end, consumers benefit from competition. Expecting consumers to choose your inferior product over a superior product to make some kind of political statement is lame and repulsive.
Case in point: The Mozilla project. If it were not for Microsoft, Netscape would have continued sitting on its ass, churning the 4.x line, and releasing noteworthy enhancements like the "shopping button".
By choosing to use IE, I am placing pressure on the Mozilla team to product a better product on time. Browser statistics send a very clear message - they know that they cannot rely on any sense of charity from the marketplace. Compete, deliver, or die.
MS is a monopoly, and IE is a tool used illegally to further its monopoly. True, but this can be dealt with by anti-trust law. Requiring consumers to choose an inferior product to spite MS is like cutting off the nose to spite the face.
gargle wrote:
> MS makes great software.
Microsoft repeatedly turns out mediocre, buggy products that
get kind-of useable by the third version.
> If you want a share of the
> marketplace, then compete by producing better
> software.
Where have you been? If better software was all it took,
Borland would be the giant of the software industry.
> Stop whining.
No, you can't make me!
> In the end, consumers benefit from competition.
(Which end?)
> Expecting consumers to choose your
> inferior product over a superior product to make some
> kind of political statement is lame and repulsive.
(a) They're not my products.
(b) There are many instances where refusing to respect a
boycott is what's really lame and repulsive. ("I always
buy from the Gap, they make great clothes for a great price!
Oh... they're manufactured by asian women conned into
indetured servitude in Saipan by being told they're getting
jobs in the US? Don't bother me with that politcal crap!")
> Case in point: The Mozilla project. If it were not for
> Microsoft, Netscape would have continued sitting on its
> ass, churning the 4.x line, and releasing noteworthy
> enhancements like the "shopping button".
Right, multiple competing companies are better than just one
defacto-monopoly. A Netscape-dominated web could easily
have become a mess of BLINK tags.
> Compete, deliver, or die.
Extend, embrace, extinguish.
> MS is a monopoly, and IE is a tool used illegally to
> further its monopoly. True, but this can be dealt with by
> anti-trust law.
Have you been paying any attention at all? This isn't
being dealt with by anti-trust law... the government is
busy trying to fight Standard Oil all over again.
In any case, my contention is that consumer boycotts are
more effective in many cases than waiting for government
action. Boycotts work faster and are more reliable,
because of the "proportional representation" effect I
mentioned earlier.
> Requiring consumers to choose an inferior
> product to spite MS is like cutting off the nose to spite
> the face.
I think this is incredibly melodramatic. The "inferior"
products just aren't that inferior (and some of them may not
be inferior at all... if Opera were out for Linux I might
give it a try, and Mozilla is certainly getting there).
Anyway, I have no problems with rewarding the best.
Aren't you arguing for rewarding the worst?
Why does everyone think that Browsers should be free????
Opera is a kick A$$ browser and I gladly paid for it. In the scope of software, browser are becoming more and more difficult to write and the space of junk people are putting on the web continues to bloat out of control. >
Man, I had to wade through a fat stack of default-2 posts of the worthless "yah!!! see Netscape always sucked!!! IE Sucks worse!!!! Bill Gates eats babies!!!" kind to get to this, the first informed technical post in the list. Mod it up, please.
--
When all you have is a hammer, every problem starts to look like a thumb.
I downloaded the exploit code, and then I noticed their site had grabbed my HTTP proxy's address. (Proxy use is mandatory at this ISP.)
This doesn't give any real protection: I'm pretty sure they can get my real address. It just isn't in the code yet.
WWTTD?
It didn't get through my firewall:
FEHLER
Die angeforderte URL konnte nicht geladen werden
Während des Versuches, die URL
http://123.45.678.9:8080/usr/local/ zu laden,
trat der folgende Fehler auf:
Verbindung schlug fehl
Das System gab:
(111) Connection refused
zurück.
Der Zielrechner oder das Zielnetzwerk könnten deaktiviert sein. Bitte versuchen Sie die Anfrage später nocheinmal.
(The given URL couldn'd be loaded. While trying to load the following URL xxx.xxx.xxx.xxx the following error occured: Connection failed. The system reported: Connection refused. The destination couldn't be reached. Please try again later.)
Can someone give me a reason why I shouldn't feel smug?
--
When all you have is a hammer, every problem starts to look like a thumb.
the enlightening method, from ServerSocket is:
t HostAddress(),
protected final void implAccept(Socket s)
throws IOException {
try {
s.impl.address = new InetAddress();
s.impl.fd = new FileDescriptor();
impl.accept(s.impl);
SecurityManager security =
System.getSecurityManager();
if (security != null) {
security.checkAccept(s.impl.getInetAddress().ge
s.impl.getPort());
}
} catch (IOException e) {
s.impl.close();
throw e;
} catch (SecurityException e) {
s.impl.close();
throw e;
}
}
Basically, you can't easily not do the open, because you need to get the port and host address from the impl attribute of the socket - after telling it to open. I think that a more sound approach would be to make impl flexible enough to do it's dns setup without actually opening.
Anyway though, the upshot is that the current approach requires that we trust the close method on impl. Looking back through the initializers which create impl, I think this is safe, but hard to prove safe. My guess is that the earlier JVM classes did this incorrectly - they trusted s.close instead of s.impl.close. Which is bad; we don't know where s has been.
And since when has the MS incentive been anything but to hold onto their marketshare like a spoiled brat in a nursery. Netscape failed because they offered a cross-platform way to access the internet and the monopoly were afraid of this. Hence they used the well-known and highly illegal monopolistic practice of 'dumping', as in giving away your product to drive any competition out of the market. IE is better than NS for one reason. It has financial backing that NS4.7 doesn't. Had the monopoly behaved itself Netscape wouldn't be in such a mess now, and we'd see real competition.
Well, I enabled java and javascript to try it out (I usually think running programs in a browser just to look at articles is silly) and it was blocked. Anyone else running junkbuster find this relief?
It worked for me on Windows NT 4.0. Netscape 4.61
Just for the historical record or something.
The only reason all cover-ups appear to fail is that you never hear about the ones that succeed.
or just grab a nightly build.
Female Prison Rape in NY
I don't use Windows enough to know if "IE" is better. I have used windows enough to know that Linux is better, and while Netscape is far from perfect, it works well enough on both platforms that I don't understand why anyone would take the trouble to complain (like, yeah, it will crash after a few days of uptime, and yeah, that's mildly annoying, but so what? Generally, any tasks I do with the browser are completed in less than an hour -- and if I want to read a long essay or something, lynx is fine.)
Anyway, there's a really good reason why you shouldn't use "Internet Explorer", no matter how absolutively wounderful it is: you're voting with every mouseclick, leaving trails in the logs of every website you visit, getting us all a little closer to a Microsoft dominated world. When IE on Windows shows up at 95% plus, every dweeb of a web designer is going to insist that there's no point in sticking to any "standards" but Microsoft's.
So, you don't like Netscape, that's fine, go out and find a copy of Opera or something. If you use Internet Explorer, you're being incredibly short-sighted, and you deserve the world you're going to get.
This is the same sort of hole as, say, the old bsd mmap problem. Just as user/supervisor modes make it possible to write a system which puts processes in sandboxes, the JVM security system makes it possible to put applets into sandboxes. But in both cases, getting the security checks correct is a non-trivial exercise.
Even though this (Netscape bug) is not open source, any bets as to how long it takes before M$ starts targeting Linux as "insecure" because of this bug? I can see it now... 60 second commercial on ABC running one of their golf tournaments... a panicked young exec talking to a senior citizen (obviously his boss) about how their open source system was wide open... Firstly, thank you to Dan for making this public. Secondly, what are we to do about it? I don't control Netscape's source, but I really like my pr0n. What to do, what to do...
~Religion is O.K., as long as it gets you laid.
You need to read Risks if you:
- Use and depend on computers in any but the most trivial way
- Program computers
- Make policy decisions regarding computers
- Operate computers in a way that affects safety (pilot a modern airplane, work in a hospital)
- Use computers in a way that may impact your own safety (flown on a modern airplane lately?)
I think that probably covers most Slashdot readers, which is why I keep posting it here.You might also want to check out the book "Computer Related Risks" by forum moderator Peter G. Neumann ISBN 020155805X. It draws on material from the forum but discusses it in greater depth. You'll find it at all the online bookstores and many local bookstores as well.
Here's a few of my own posts to Risks:
I also recommend that everyone refer regularly to the CERT Coordination Center to read the latest in security advisories and report security problems to them when you find them.-- Could you use my software consulting serv
Here's another warez and pr0n site:
warez.slashdot.org
enjoy!
I'm absolutely sick to detah of people saying somethign doesn't affect affect them as long as they're not running `insert vulnerable app here' as root. So it might not be able to take out your machine...but what do you have in your home directory? Of your a Linux desktop user, and use if for wordprocessing, it may well just be a copy of your theses, to which you'd naturally have read and write permission. This is pretty [almost uniquitously] common situation for home users. Lulling people into a flase sense of security is unethical.
Opera is obviously manufactued by the NSA. Who else but the U.S. government would charge for what others consider to be free?
Well, most of us would figure it'd be free to not put a company's software on your machines but evidently microsoft thinks there should be a charge for that too.
The U.S. government isn't allowed to charge for software anyway, to my knowledge anything authored by a government program they have to release to the public or keep to themselves. (I read something like that in the license of some government produced software. we're not allowed to charge each other for it either tho')
Ever get the impression that your life would make a good sitcom?
Ever follow this to its logical conclusion: that your life is a sitcom?
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
It seems more stable on Windows, but, as we all know, IE loads a lot faster and, IMHO, IE just renders the HTML into a nicer-looking document.
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
Yeah, right. Running as a plain user, the only files the intruder can get into and mess up are your personal work files, the stuff you've recently created, your shortcuts, correspondence, that kind of stuff. Anything in your home directory.
The really important stuff, meaning the stuff that came off the distribution CD's, is protected.
Yep. That's the typical Unix 'security' mentality. Protect the system. Fuck the user.
now go suck my black chcolate ass
--I assume full responsibility for my actions, except the ones that are someone else's fault.
The java applet seems to use the IP it detects from the Brown Orifice site. It tries to estabilish the service on that port. With IP Masquerading in front of this winders box, the java thingie gets confused. I guess we'll have to work on that...
ok. in short this is how it works.
1] it sets up a server socket on port 8080 with a handler for that. any java applet can do this.
2] it bypasses the java.io.File stuff which is sandboxed by using the netscape file://c:/ command (which is friggin brilliant if i may say so...) to browse files. since its running in a web browser anyway, it can send commands to the local browser.
Fix :
Simple. expand the security sandbox to applets cant use file:// to exploit their local browser.
especially the ones with a username in the URL. Hope they're behind firewalls...
It is done by choosing "Exit" from the file menu.
--Mr_Machine_Code
Yep, you could. You can not only read/write anywhere, you can also reformat...
While the whole At Ease concept is outdated there are alot of institutions keeping it because they have old hardware and cannot go to OS 9 or they have incapable sysadmins. Especially in K-12 schools.
Users will always install and run insecure apps. As sysadmin, it's my job to keep the company LAN safe regardless. Well, despite this article, it looks like I'll be sleeping soundly tonight.
Firewalls should be for everyone. Anyone who connects their PC (regardless of what OS it runs) directly to the internet is just a damned fool that deserves what they get. Just remember, "if it connects to the net, it runs firewall SW and nothing else." Put the browsers and napsters and toys behind the firewall.
If that sort fo stuff crashes the JVM, then its Well stuffed. Get a different one. Array out of bounds errors should throw an exception, and Java initialises *all* data to defaults (though for objects, this is nil, which will cause exceptions to be thrown).
Unless you use JNI, or some other kind of native code, a correctly written VM should never crash (though of course, it might *stop*).
No definitions found for "hypocrit", perhaps you mean:
web1913: Hypocrite
wn: hypocrite
easton: Hypocrite
I agree. I finally bent over and went to the dark side, and my life is a little less annoying for it.
But can someone tell me how to have my links folder contents be in an order other than alphabetical?
The answer: Preferences/Advanced/Enable Java OFF.
I mean, what do you people use Netscape's Java for anyway? Maybe you have a thing for punching monkeys, but I for one can do without Java in a browser.
It's a hole alright, but a *Netscape* hole, not a Java hole. It's a faulty and buggy implementation, that's all. No need to blame Java for it.
Oh great, another "IE is better than Netscape" dude. This is "Insightful"? I don't use Windows enough to know if "IE" is better
Then shut your pie hole. Because if you DID use IE for more than 15 mins you'd see the point.
I too was a 'Netscape only' person from version 1 to version 4.72. Netscape simply has becoming worse and worse while IE has become better and better (well, maybe not 5.5 but 5.01 is solid).
There comes a time when getting your work done is more important than supporting some ideal that obviously isn't shared by the actual developers.
That time for me was June 2000. Goodbye Netscape and good riddance.
On a vaguely on-topic note, I run Zone Alarm on my Windows laptop, and I just test this. Zone Alarm halts it immediately, and it's free for individual use. When I tried to contact my "Netscape Server" after I exploited my box, a window popped up asking if I wanted to allow Netscape to run as a server. I said no, and the connection failed.
OK... but i tried telnet too and it didn't
return anything... even though I never
connected with the browser ( yet ).
although the port is open... i did connect...
which is unsettling enough.
So, what's the dilio?
I am forced occupationally to use IE quite a bit, but I always use Netscape at home. Given that it's a family computer, and my little sister started crying when she saw saw the login prompt, thinking she had broken something, I had to take Linux off of it. Windows is horribly unstable on this machine and terrible at allocating memory. IE crashes like a 3-wheeled car. Netscape does fine, except for a few particular pages, and one piece of junk e-mail I have. When IE crashes, it takes the whole system with it. I only use IE for the two sites that netscape can't view without crashing. When I do that, I keep netscape open, so I have something resembling a file manager open to re-start explorer when it crashes. I kid you not. This is routine for me now. I would re-install the system to wipe out the crap that my sister installed that's clogging it up, but my parents have forbidden that along with Linux. Anyway, when netscape crashes, it frees up 30-90 MB of physical RAM that was not free before it started. I don't know how or why, but it's very reliable. In fact, every time I start up StarCraft, if I've been running winamp long enough (memory leaks) I'll open up netscape, open that one e-mail it can't handle, wait 10 seconds, ctrl-alt-del and kill it. It gives me all the RAM I need. Is it a bug? Yes, but certainly the lesser of the two evils.
WARNING: there is a trojan on your
I feel alot better about warning people about trying out this exploit. They didn't make it too obvious that not only were you confirming it works on your configuration, but putting yourself on a list of computers to exploit. Furthermore, their default choice of C:\Program Files\ is a very vulnerable directory for most Windows users. Sure, it effectively demonstrates the problem but unsuspecting idiots who have most of their apps and data under that tree could be screwed.
Bleh!
You know, stupid stuff. Going out of bounds on arrays, forgetting to initalize stuff before referencing it... that kind of stuff.
bash-2.04$
bash-2.04$yes "Don't you hate dialup connections?"| write USERNAME
Have you tried holding down CTRL while shutting down? Supposedly it should ``force'' Windows 98 to shutdown...
Me... If I ever get problems I telnet in from my laptop and do a killall netscape, but is hardly ever gets to the stage where I have to do that.
If you're behind a NAT firewall like Linux's IP Masquerade, this doesn't pose a problem. The server-side CGI which sends parameters to the Java applet sets the address of your NAT gateway- which, of course, is not the address of the system running Netscape Navigator.
I do alot of client-side javascript programming for both IE and NetScape. I've always found IE to be MUCH easier and powerful with respect to its implementation of the DOM and what I can do with it. Now I find it is actually more secure too. Why am I using Netscape again? Maybe I don't have any good reasons left.
This is a Java applet, not a Javascript exploit. The fact is that just about any client side scripting has to be implemented perfectly to avoid security problems. This being an imperfect world, I browse with Java and Javascript OFF.
Ah, when will Mozilla be ready? I am tired of using IE. Now if we could convince the people building Mozilla to:
1. Separate the email client from the browser and get rid of that silly profile idea.
2. Make said email client be able to access multiple accounts from the same instance of the client.
3. Incorporate the ability to block off server URL's for ads, images, and content.
4. Incorporate a black list for URL's.
Just my turn to rant!
--- Never hold a dustbuster and a cat at the same time ---
Setting his threshold to 5, Sparky eliminated most of the trolls on /.
Where is it that I even implied JavaScript=Java?
Have you been paying any attention at all? This isn't being dealt with by anti-trust law...
Decreased revenues due to open source competition can't be the only thing driving down Microsoft's stock price. It's about 50% off its high before the antitrust rulings.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
A) Netscape's JVM implementation is a piece of dog doo. Always has been up until 4.x and even then it was bad. (Yes, they WROTE THEIR OWN VM... argh)
B) There's a post above that basically explains that this exception doesn't happen in IE. Sun's code is particallly at fault in versions of Java prior to Java 2 version 1.3...
-Stu
I donno, the exploits in IE/ActiveX that allowed web pages to read, write, and execute files anywhere on the system? That's an exploit to be truly worried about. Hey look! This webpage not only writes a virus to your system, it executes it too! This one only serves up files, and while bad, also took much longer to find, meaning it was probably deep in the code.... i.e. a mistake. I only hope there will be a patch soon.
"Free beer tends to lead to free speech"
uhmm.. drag and drop :)
HAHAHAHA!
It had to be said, sadly, it really did. I've used IE for a good long time, Netscape just never "felt" right for me (personal choice). IE has had some flakiness but overall it's worked fine. Meanwhile my SO had used Netscape until it just got to the point where it was so unstable that she had to switch. She's a "user" - she just wants to browse WEB pages not learn the guts of why something's broken. Needless to say IE now works fine for her (sigh). This wasn't dirty pool by Microsoft, they just delivered a product that worked is all.
When Netscape declared they were releasing source code I was actually pretty hopefull. Without competition MS will become complacent just like Netscape did. However, in the time since it was released Netscape has continued to make "point releases" to their old crap and I've yet to hear about any of the Mozilla versions being stable enough to - wow - use!
This is a real shame too. My biggest hope, and one of the reasons MS's IE has done so well was that a componentized version of Netscape would be released. Then products like Quicken, Notes, and a ton of other products wouldn't actually have to write their own browsers. Neat idea huh? So how come IE is the only one that's done it so far? My customer is exclusively Netscape but slowly but surely IE is taking over and getting upgraded on everyone's workstations - the component portion is why. These people like most users don't want to hear the political crap as to why they shoudl or shouldn't use a product - they've got a life and a job to do.
Get with it Netscape, there's a reason you're losing the "browser war" and it's not all just dirty pool by Microsoft. Get off the porch and innovate!
BTW - anyone else read the open letter to Netscape by the standards group that concerns itself with browsers? It would seem IE is more compliant than Netscape these days. Sad huh?
Build it, Drive it, Improve it! Hybridz.org
>> MS makes great software.
> Microsoft repeatedly turns out mediocre, buggy products that
> get kind-of useable by the third version.
That's true, actually. And by the fifth version (I'm using IE 5.0 for Mac) they often beat the competition.
As with most people who read this story, I found that it was worrying though I don't run Java on Netscape normally (as it has a tendancy to explode when Java is on). Nonetheless, I tested a couple of things with this applet. As should be obvious, the applet doesn't work if you don't run Java applets on Netscape (duh)... but what I found worrying is that when I commented out the specific ports in /etc/services , the applet still worked. Why would this be - I have commented out the ftp ports in /etc/services before, and the ftp server didn't work as a result, so why should it be different with a Netscape web proxy port acting as a server?
Know ye not that ye are Gods???
And I have two hosts, one at 127.0.0.1 and 10.0.0.6. ;-)
--Joe--
Program Intellivision!
Good thing I'm using my trusty rusty ipchains firewalling gateway to prevent direct access to my browsing system. Vern, Vern, Vern, when will you learn, Netscape has more holes than swiss cheese?
My car gets 40 rods to the hogshead, and that's the way I likes it!
I do alot of client-side javascript programming for both IE and NetScape. I've always found IE to be MUCH easier and powerful with respect to its implementation of the DOM and what I can do with it. Now I find it is actually more secure too. Why am I using Netscape again? Maybe I don't have any good reasons left.
Run his script to load the java applet, and then in the link the script provides, change your IP to localhost. Definitely time to leave Java turned off until further notice.
-- Colin Cross
doom said: Oh great, another "IE is better than Netscape" dude. This is "Insightful"? I don't use Windows enough to know if "IE" is better
:->
A good browser can handle bad HTML. IE error at MS's Windows Update site
birder replied: Then shut your pie hole. Because if you DID use IE for more than 15 mins you'd see the point.
ROTFL!!! The only point I see is the one on top of your head!
Having been forced to use IE by Satan, errr... Bill Gates, I can say without a doubt that IE sucks!!!
--
You think being a MIB is all voodoo mind control? You should see the paperwork!
A man who wants nothing is invincible
-- Could you use my software consulting serv
SITCOM
Single Income, Two Children, Opressive Mortgage
Yep, my life is a sitcom.
government software, as it is the taxpayer that owns it. So I believe you could resell it if you wanted to in your own package. I think it is alot like those "army survival manuals" that you see reprinted when you walk into Barnes and Noble. Also, patents granted to government agencies/employees are public domain (they are quite a few) and you can make/use them for profit. Government funded IP belongs to the people (This does not go for grants given to a company to develop technology however - it's whoever controls the patent/copyright)
I know it's offtopic - only to try to clarify a point thats been posted.
GrEp wrote:
> Java itself is not the problem. This summer I
> have been doing a lot of Java development on
> Linux, and not once has Java crashed on me
> unless I wrote some bad code.
What kind of "bad code"? If you mean Java code, then Java itself (well, the JVM you're using) *is* the problem. If you mean native code, then sure, it's your fault.
The state of JVMs on anything other than Solaris and Windows is pretty shocking in my experience, which is, admittedly, limited to Linux and IRIX. I hear the HP/UX JVM is pretty good.
score 3:Flamebait?
Since when did Flamebait get marked so highly? Perhaps you meant Funny?
Higher level languages attempt to nullify such security holes by using internal means of actual data storage and recovery that are proven to not cause such exploits. This makes for languages which are in essence more secure by default, granted that bad programming can still leave holes open.
A good browser can handle bad HTML.
What, you mean like if you forget to close a table, the table doesn't end up invisible?
I'm running behind a NAT based system. I downloaded the browser. It kept insisting on going to my external IP address instead of the IP I actually pointed it at.
Further, all I saw was "Permission denied" on any place I tried to read.
So - my first question - how did the browser know what my REAL IP was behind the NAT box? Did they configure it into the browser before I down-loaded it? Further, are they recording said IP's for later exploits????
I'd guess if you are behind a firewall or NAT box that won't do them much good....which is a "good thing."
Anyway - maybe one should think twice before downloading and trying this "exploit."
My
Have you compiled your kernel today??
Doesn't work for me - nmap doesn't see it, I can't get any response from telnet or via another browser session on the same subnet or over the internet.
in fact, none of the links work.
Am I doing something wrong?
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
It's time to spell Katz right in your subject line or else shut up about "Hemos what'll it be" when it's Katz's IP at issue.
I believe in people being intelligent too but there's a difference just repeating that mantra and actually doing something to be intelligent.
So AC, what'll it be?
Ever get the impression that your life would make a good sitcom?
Ever follow this to its logical conclusion: that your life is a sitcom?
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
Trollific: possibly, offtopic: no. I speak of how I am going to UTILIZE the explot to grow the largest collection of porn ever. Oh well, those are dem breaks. =\
Help me through college please!
Obviously non-sandboxed scripting languages like Javascript and ActiveX are a different kind of risk, and simply can't be trusted.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Granted I'm only going to turn it on when I'm planning to play now...
http://thing.indirect.com
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
The MS Word crack I stumbled upon I found was even worse; search for a file, and you can get read access to files in the same directory [which is supposedly secure] with an open menu dialogue. You can even open the passwd file from a remote At Ease server volume!! Though its a bin file, parts of it are readable.
However I think they cleared this up in the current version of At Ease.
I kind of like the sort of world where the incentive is to make the best product, thanks.
If Microsoft attained their standing and wide-spread domination via anti-competative means, fine, but you can't blame consumers for using what they like best. That's them creating the most important incentive for the future of all: the incentive to try to actually produce something superior to everything else. Sorry, but that's what counts in the end, and that's where things will end up when all is said and done.
Mindcraft unleashes its latest web server benchmarks pitting IIS against Netscape Navigator...
Say what you will about M$/IE, but if a bug like this gets reported for Internet Exploder, you can bet your ass they'll post at least a notification (if not a workaround or patch) on their site faster than you can say "class action lawsuit."
Netscape? Netscape.com is too busy telling me about the new cute chick flick "Coyote Ugly" and checking my stocks. I'm one click away from the "Security" section of Microsoft.com. On Netscape.com, I am one click away from sports scores.
I used to be a really big fan of Netscape, but they just keep screwing up. I swear, I want to like them...
======================================
======================================
Writers get in shape by pumping irony.
I ran the applet, and my portsentry has caught 9 people in less than 20 minutes trying to connect to my 'puter. Just a heads up to those other curious people out there.
Portsentry Log
965533382 - 08/05/2000 23:43:02 Host: ppp-121.tnt-1.ind.smartworld.net/64.71.16.121 Port: 8080 TCP Blocked
965533409 - 08/05/2000 23:43:29 Host: c1102499-a.mntp1.il.home.com/24.22.238.125 Port: 8080 TCP Blocked
965533665 - 08/05/2000 23:47:45 Host: cx1009234-b.lbbck1.tx.home.com/24.15.153.5 Port: 8080 TCP Blocked
965533766 - 08/05/2000 23:49:26 Host: bluewhale-ext.nus.edu.sg/137.132.2.110 Port: 8080 TCP Blocked
965533960 - 08/05/2000 23:52:40 Host: adsl-151-203-192-148.bellatlantic.net/151.203.192
965534057 - 08/05/2000 23:54:17 Host: dialupB214.dlth.uswest.net/207.109.199.214 Port: 8080 TCP Blocked
965534280 - 08/05/2000 23:58:00 Host: dsl-209-162-218-233.easystreet.com/209.162.218.23
965534282 - 08/05/2000 23:58:02 Host: Station06.DSFM.MB.Ca/204.112.25.16 Port: 8080 TCP Blocked
965534422 - 08/06/2000 00:00:22 Host: koyk-u5.cisco.com/171.69.66.107 Port: 8080 TCP Blocked
If this was an IE bug how much different all of the opionions would be. But its Netscape and Netscape has a Linux version so its ok.
- ActiveX: no security, can do anything
if permitted, permission has been
overriden by exploits.
(MS operating systems only)
- Java: "sandbox" security model, should
be secure, but numerous exploits in the
past have shown that it's not.
- JavaScript/VBSCript/JScript: primitive scripting
languages (VBS/JScript=MS proprietary),
have been used for more exploits than Java,
but usually more benign.
Exploits have been reported in all these areas. The first thing you should do is turn off Java. It hardly ever does anything good on webpages and is not so widely used that turning it off could be a nuisance.Next, if you're using Windows, download Proxomitron. It will allow you to selectively filter JavaScript, per site or per user request. I don't know of similar solutions for Linux.
Turn off JavaScript by default and only turn it on if a site doesn't work anymore (chances are, there isn't much content there to be missed anyway).
By deactivating Java and filtering JavaScript, I have been able to greatly increase the stability of Netscape on my NT4 system. It hardly ever crashes (about once a week), although I have lots of windows open (right now, it's 14). That's Netscape Communicator 4.7. I have heard that Navigator alone is even more stable, but haven't tested that one.
Now you're safe from exploits like the one reported above. If you use IE, you are vulnerable to many other exploits (like the recent JavaScript bug that allowed sites to spy on your cookies and thus determine top-secret user ID data that can be used to compromise credit card numbers and much more). If you think that IE is the better browser, you should at least deactivate or filter the insecure layers mentioned above.
Oh, and you might also use Opera. You pay a few bucks once (and I urge you to pay, as they need your money to continue development) and get a rock stable browser with all the essential features, super high speed and high security. If you think IE is better coz Bill Gates gives it away for free, that's your decision.
--
With this and the cookie bug, Netscape seems to be in quite the large hole. I've seen a lot of reports about Mozilla and previous netscape version exploits, and the publicity has been nothing been bad for the past few years. With decreasing market share and profitability at a minimum, I wonder about Netscapes future. While Sun and AOL have continued to be profitable and progressive, Netscape has been the slow brother. More then anything, a lose of faith and hope for Netscape has all but disappeared and the company I once saw as the solution to the Microsoft monopoly has been slain with nothing but their own laziness and bad decisions. By focusing on their web portal and ignoring their browser, they consequently lost their hold on the browser market that they always believed they'd have.
I know this might be offtopic, but I feel it has to be addressed. Netscape, in my view, wouldn't have survived without the merger with AOL and Sun. Some of us may still hold hopes for Netscape, but for me... my hopes are but dust in the wind
Help me through college please!
They seem to work incorrectly if you're behind a firewall, since the script picks up the IP of the firewall rather than of your machine, and so the server redirects you incorrectly if you do manage to get it to answer.
I haven't had time yet to determine how it behaves if I manually "configure" it, and I don't care to run it at all on my firewall. (I'm curious, not st00pid.)
--Joe--
Program Intellivision!
To follow up on my statement, when "properly configured", it works more or less. I get truncated pages, and I'm not sure why, but by and large I can browse my hard-drive with minimal effort.
So.... If it doesn't work for you, you either have Java disabled, or the BOHTTPD is misconfigured. (Do a "View Source" on the page which loads the applet to get an idea of what it's loading and how it's configured.)
--Joe--
Program Intellivision!
{Hmmmphh!} Doesn't seem to run on my Mac anyway, so what good is it?
LOL...
Carousel is a lie!
Having security built in at method level, with code like this:
public void somemethod(){
if (evil_attacker) throw new SecurityException();
do_sth_useful();
}
won't get you too far, if the attacker has access to source code, and overloads the method with a version without security checks. Since Java applets can extend java.* classes and the code for them comes with the latest JDK, it was just a matter of time until someone figured this out, and created an exploit.
The easy solution is not to allow unknown code (applets) to replace (overload) system library code. Let applets only extend java.lang.Object or other classes from an Applet, and you're done.
and we thought that netscape was good ... damnit .. wheres my trustly Opera??
Fool! Opera is obviously manufactued by the NSA. Who else but the U.S. government would charge for what others consider to be free?
Semper ubi sububi
Semper ubi sububi
-"Always wear underwear."
ditto. Java is designed so that even if you're program is poorly written, unless it's pathalogical, it won't crash or have any effect. Things that will have an effect are something like creating tons of objects just to try to run out of memory, or deadlocking due to poor threading code.
It's 10 PM. Do you know if you're un-American?
of course, I know enough to properly set up my internet settings.
:->
Let's see... MS writes crappy HTML on the Windows Update site and it is MY settings that are wrong? That is too rich!!!
And of course, anybody can cut an dpaste, too, if they are so inclined.
That is an unretouched screenshot. As if Microsoft needs MY help making them look bad!!!
Obviously, you are biased against M$ and it really doesn't matter HOW good the producats are, right?
Naw, I run 98 for school (Office, VB) and personal (Money) reasons and use NT at work. MS writes some good APPS but they have yet to release an OS that works as well as OS/2 Warp 3 did for me FIVE years ago...
M$ didn't bully it's way to #1
Hey Bill! How are Melinda and the rugrat doing these days?
--
You think being a MIB is all voodoo mind control? You should see the paperwork!
A man who wants nothing is invincible
Please tell me this was a joke.
I wonder if this could be combined with web bugs. Clicking on the page would activate the gif, downloading the script. Then the vendor could scan your system to insure you have no illegal software or mp3's, and 'just in passing', and 'simply for information's sake', keep a copy of whatever other 'interesting' information you might have....
and we thought that netscape was good ... damnit .. wheres my trustly Opera??
This goes to show that stupid security holes aren't for Microsoft anymore. Of course, is this Sun's problem, or Netscape's? What's next, an email that runs this script and posts the contents of your hard drive on the web? Tehe, the joy of it.
"Life's funny sometimes." "And sometimes it isn't." --Cat's Cradle
But Brumleve describes another problem with BOURLConnection and BOURLInputStream that allows the applet to read local files. Can someone help us with that one also?
Cheers,
--Neal
--Neal
Go IETF!
Insert "Open Source would fix this bug before v4.74" crap here.
Moderate up.
What if running a server is against your TOS? Can a random person violate your terms of service? :)
___
__
Do ya feel happy-go-lucky, punk?
Problem with this hole is that the java implimentation in netscape is so slow that when this applet starts sharing you files netscape CPU usage goes to like over 90%. Adding that file transfer is so sloooow...
I've decided to replace gnapster with this. You can now get my mp3's from here
Has anybody checked which Netscape versions are susceptible? (or for that matter IE versions?)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I am an IE fan, by all means, and this looks way worse then what small security holes IE has. Now you wonder, what were the programers thinking? Was it a true mistake??? OR was it purposeful? IT makes you wonder :)
Ah, life is good behind an IP masquerading firewall. So Netscape serves up every file on my machine? Well, come and get it! I'm at http://192.168.1.1/
So I start up the applet and, wanting to see what it looks like on the remote end, I tried connecting to localhost instead of my public IP. (http://localhost:8080/C:/DOWNLOAD/) The message I got was "The Proxomitron couldn't find the site named DOWNLOAD Check that the name is correct..."
Heh, almost forgot about that. My filter proxy is already listening on port 8080, so even if I was connected directly to the internet, the applet wouldn't work. Of course, it's trivial to just start the applet with a different port.
And what exactly is the point of the attribute "trustproxies" in the applet tag?
Any sufficiently advanced civilization is indistinguishable from Gods.
What is Opera? (Sorry, I R DUM)
this sig was brought to you by the letter "Z"
It uses 184 MBs of memory but it's quick and doesn't disk thrash on my 64 meg machine.
wow!!! you've only got 64MB of RAM, and a 184MB application doesn't cause disk thrashing? is that because you don't actually have your disk connected, or is it just that you've smoked all of your $3 crack in one hit?
IE would crash first...
Am I the only one who finds netscape to be stable ? granted I visit only about 10-20 webpages regularily-but it never crashes on me.
Even with java I dont crash. Maybe Im offtopic but the amount of bithching I see here about NS is amazing.
I Cant reember the last time NS rashed on me
Sorry. That was bad.
"On the Internet, everyone is an equal until they prove themselves to be a moron." - Emmanuel Goldstein
Because Netscape screws up java on windows too. A lot of pages run just fine on IE and crash on both windows and linux netscape. There's nothing like getting 20 java error windows and then having netscape freeze.
If not now, when?
Netscape lasted more than 3 seconds when I ran the applet. I even got a few pages downloaded before it died. If I had left things mostly alone, I bet it would stay okay for a while, at least long enough to get /etc/passwd if / was mounted. Of course, that's rather useless since the passwords are in /etc/shadow which isn't user readable, and (hopefully) root would never be running netscape. It did, however, die quite horrably when trying to close it, and had to kill -9 it to oblivion (^c didn't work).
Sometimes I've believed as many as six impossible things before breakfast.
I have to disagree. Java itself is not the problem. This summer I have been doing a lot of Java development on Linux, and not once has Java crashed on me unless I wrote some bad code. The problem is netscape. The reason java crashes in your web browser has a lot more to do with the browser than the JVM.
bash-2.04$
bash-2.04$yes "Don't you hate dialup connections?"| write USERNAME
Is there a Java flight simulator we could graft in here?
They publish a list of people who are trying it out. So right now I'm surfing through some dude's C:\Program Files\. I was considering ganking his ICQ database file but he must have shut it down. I'm glad I put my temp directory as the directory to serve. C:\Program Files\ just has too much, imagine the fun you could have with a bunch of ICQ and email archives.
Bleh!
... Very Public Network, that is..
--
Notepad specialist & FAT administrator, group training available Fabian Rodriguez
Notepad specialist & FAT administrator, group training available
Going out of bounds on an array can be good code. It's reasonable to use exceptions as part of your logic.
when i telnet to the port on localhost... at first I thought it was open, but it isn't.
so what is the browser doing? has anyone tried to browse to this off another machine yet? or telnet to the port?
i wish my other two machines weren't down or i would just do it myself...
i mean, it seems like it MUST be open, yeah... cause it's the URL, but, um, gee if the port is open shouldn't I be able to connect with telnet?
or is there something i'm missing here...
You need to be paranoid about the government, if no one was, then they would be free to run as they please, treating the american (or global) worker as an object, not that it would be the first time. On the topic of CERT however, I don't understand if you are saying that if CERT were to, shall we say, 'pimp' out their services (for lack of a better word) to a select group[s], and give them credit for finding an exploitation, the global masses would or would not lose trust in CERT and eventually begin to look elsewhere, if any such group exists, for an independent group who performs a similar function to CERT. Jeez, now I feel wary of the government, too...but then I AM in the middle of Walden by Thoreau, so that could be why. :)
--- What
The salvaging has already begun. galeon.sourceforge.net
Hmm, odd. Netscape 4.61 for OS/2, the only version of Netscape which uses native Java rather than a Netscape JVM, certainly has a problem too, but the exploit doesn't seem to work on it. It listens on port 8080, if I request the root document, I get a relocation to the path I specified, but if I hit that URL, Netscape shuts down. Doesn't crash or anything - it just commits suicide. If I had as much spare time as the guy who hacked this together, I'd figure out where it breaks. :-)
I enjoy watching the number of active servers climb as more and more
take it back... as i said in reply to a reply to a previous post, it was either a bug in the machine or a bad typing job by me, but I was able to telnet into localhost and see the directory structure.
Anyway, there's a really good reason why you shouldn't use "Internet Explorer", no matter how absolutively wounderful it is: you're voting with every mouseclick, leaving trails in the logs of every website you visit, getting us all a little closer to a Microsoft dominated world.
You're damn right. I'm voting with every click - voting in support of a superior product.
I traced the java and ran tcpdump and watched folks getting files from above the root of the share. I'll have to change my ssh key now :)
You know who you are
adsl-216-102-200-137.dsl.snfc21.pacbell.net
customer-GDL-196-91.megared.net
noc05.sjc1.globix.net
dialup-209.245.205.117.Houston1.Level3.net
user-38ldkut.dialup.mindspring.com
This is a no brainer.
A Java based exploit can turn netscape browser into a server.
That oughta last about 3 seconds until Java locks up the netscape process.
Most Windows people have no idea how pathetically unstable Java for linux is.
Write once, crack anywhere.
What a colossal load of absolute crap. First off, I am as pro-open source as anyone else, but this type of fanaticism makes me sick. You're telling me I should use a product that has been essentially forgotten by its creators to further political goals? No frigging way. I loathe Microsoft for everything they stand for, and I don't trust their product as far as I can throw it, but there is no damn way I will use a substandard product just to spite them. I run a weblog and ditched Netscape after losing my seventh article due to an unexpected and completely random bail, so if by switching to a clearly superior product that actually matters to its developers I am nurturing the tool of Satan, then I'm happy to do so.
It's ridiculous statements like yours that give OSS proponants a bad name, because by your own admission, quality of product has absolutely no meaning as long as you're screwing Bill in the process. Since when do OSS pundits argue for the purchase of commercial software like Opera? Sounds like pure politics to me. And guess what, I do develop for IE more than anything else simply because the viable alternatives either expect me to shell out hard earned cash I don't have, or have neglected the product to the point of borderline uselessness. Opera makes a great browser that nobody will ever know about because it's commercial software with free alternatives.
Netscape's outright loss in the web browser war has less to do with Microsoft's monopoly than it does AOL's complete neglect of a once desirable product, and if NS6 PR1 is any indication, nothing has changed. Standards compliance means precisely jack if the damn thing is slow, crashy or just plain unusable for any combination of reasons.
I hope you enjoy playing politician while the vast majority make choices based upon quality of product.
---
Slashdot: News For Zealots. Stuff That's Hypocritical.
And if the share of Netscape was 95%, every dweed of a web designer would have to continue to code around every little problem, glitch, and poorly supported standard in Netscape.
With Napster on the verge of being shutdown this exploit comes at just the right moment in time! Why bother with Gnutella or Freenet when the peer-peer sharing application IS ALREADY ON YOUR COMPUTER!
The Rise and Fall of Netscape - http://www.msnbc.com/news/379409.asp
Help me through college please!
See, after all the berating of activex/vbscript bugs in outlook that allowed the new "worm" breed or viruses to plague Windoze users, now we have something nasty to send the *nix users who read email with Netscape and have html/java turned on ;)
(of course, us Mutt or Elm users are still safe *grin*)
--
Sinepaw.org: Grape Winos
That Netscape is the worst browser ever. Quote from his article: "Today a bug was reported in Netscape, versus none reported today for IE. That proves that Netscape is the worst browser ever!"
-------------
The truth is out th- oh, wait, here it is...
Confusious waits for the Java exploit that stabalizes Java in Netscape...Now that would be the real trick.
(+1 Funny) only if I laugh out loud.
Netscape gave away the browser... sure, there was a price tag, but only corporations and extremely gullible (or "honest") private users ever paid the fee. The full version has ALWAYS (from Day 1) been available for download without any registration or any means to track the product.
This was done on purpose. It was meant to spread the "Netscape Mindshare" and sell servers to people who wanted to ensure MAXIMUM compatibility with all those browsers.
In 1995, Netscape had something like 90% of the market, until Windows95 shipped with IE included. Even with the pack-in, the balance really didn't shift until M$ came out with version 3.0 (seems to be a magic number for them... Win 3.x, Dos 3.x).
Netscape never made money on the browser, except for large corporate licensing fees (many corporations still pay these, but the numbers are dwindling rapidly), and Netscape never thought twice about deviating from standards when it served their purpose for selling servrs (not unlike M$).
And of course, selling out to AOL lead to <SARCASM>a major innovation</SARCASM>... the inclusion of AOL's proprietary IM service using their crappy client. The only thing more annoying is the damn DOJ-imposed "Online Services" folder that keeps cropping up in every Windows install I do....
This exploit is possible because of two factors.
k et.]: cannot access 8080
e n
e d Code)
e d Code)
p iled Code)
p iled Code)
p iled Code)
i led Code)
The first problem is that Netscape's SecurityManager does not throw a SecurityExecption when the BOServerSocket constructor creates a java.net.ServerSocket. Here's the exception thrown in IE:
*******************************
com.ms.security.SecurityExceptionEx[BOServerSoc
at com/ms/security/permissions/NetIOPermission.check
at com/ms/security/PolicyEngine.deepCheck
at com/ms/security/PolicyEngine.checkPermission
at com/ms/security/StandardSecurityManager.chk
at com/ms/security/StandardSecurityManager.checkList
at java/net/ServerSocket.
at java/net/ServerSocket.
at BOServerSocket.
at BOHTTPD.init
at com/ms/applet/AppletPanel.securedCall0
at com/ms/applet/AppletPanel.securedCall
at com/ms/applet/AppletPanel.processSentEvent
at com/ms/applet/AppletPanel.processSentEvent
at com/ms/applet/AppletPanel.run
at java/lang/Thread.run
***********************************
After the ServerSocket is created, a SecurityException _is_ thrown whenever the BOServerSocket calls implAccept, but this Exception is easily caught. Also, by the time the Exception is thrown, the damage is already done. Here's the Exception:
************************************
netscape.security.AppletSecurityException: security.Couldn't connect to '127.0.0.1' with origin from '216.61.198.249'.
at java.lang.Throwable.(Compiled Code)
at java.lang.Exception.(Compiled Code)
at java.lang.RuntimeException.(Compiled Code)
at java.lang.SecurityException.(Compiled Code)
at netscape.security.AppletSecurityException.(Compil
at netscape.security.AppletSecurityException.(Compil
at netscape.security.AppletSecurity.checkConnect(Com
at netscape.security.AppletSecurity.checkConnect(Com
at netscape.security.AppletSecurity.checkConnect(Com
at netscape.security.AppletSecurity.checkAccept(Comp
at java.lang.SecurityManager.checkAccept(Compiled Code)
* at java.net.ServerSocket.implAccept(Compiled Code)
at BOServerSocket.accept_any(Compiled Code)
at BOHTTPD.run(Compiled Code) at java.lang.Thread.run(Compiled Code)
************************************
So, to recap: 1) Netscape does not throw a SecurityException when a ServerSocket is created in BOServerSocket., and 2) the connection is made by the time the exception is thrown in ServerSocket.implAccept().
#1 is Netscape's fault. They haven't implemented their security policies correctly, specifically that a ServerSocket can't listen on a port in an unsecure applet. #2 is definately Sun's fault because the SecurityException can easily be circumvented by overloading Socket.close().
Bravo to the grey hat for finding this!
Okay, so someone sends you an email with this html embedded. Did your communicator just become a webserver? Think of the implictations there. Someone sends you an email, then they just cruise on over to your ip and access any of your files...
Fits better, don't you think?
Bleh!
Under *nix, yer stil pretty safe. Only running Netscape as root would truly expose you. And no one is stupid
enough to do that, right? Well... maybe Red Hat users.
Actually, netscape is used as the UI to a number of sysadmin utils including up2date. (And, yes, it does run netscape as root.)
how to you know that the java code downloaded from netcom is not what activates the server, not some bug in netscapes's own java?
Because, Netscape's own java should NOT allow this server to run. The fact that this server is allowed to run is the bug itself.
--Dg
Is it me or does this seem easier to setup than editing /etc/vfs/vfstab to export /export/blah - now if only we could get NIS to adopt this for automounts we'd be set for NIS on a WAN !!! (except for the minor issue that anyone can read a file - but life has it's trade offs....)
Wheeeee
I paid $20,000 for a Chevy, so I am clearly that stupid.
---
Slashdot: News For Zealots. Stuff That's Hypocritical.
Now when my clients want a cheap
VPN I can tell them they already have one
if they use netscape!
I LoVe Technology
but i hate spelling
http://Lenny.com
Odd. It doesn't show up when I go to Windows Update... of course, I know enough to properly set up my internet settings. And of course, anybody can cut an dpaste, too, if they are so inclined.
As for display "bugs" IE displays bad html pages a lot more successfully than Netscape ever has or, apparently, ever will. On top of that, it uses far fewer resources than Netscape does for the same content. Perhaps this is because of the heavy reliance on IE auxillary code in so many of the M$ applications and OS subsystems (rendering code, http put/fetches, jpg/gif image imports, ActiveX container support) that so much effort has been invested in making it efficient.
Obviously, you are biased against M$ and it really doesn't matter HOW good the producats are, right? But how many Sony or Nike products do you own? They promote similar tactics... Intel? Phillip Morris family products? P&G? Look around you... M$ didn't bully it's way to #1, but I'll admit it has used it's weight to stay there. Still, it's no reason not to give credit where credit is due. IE is good. Netscape sucks.
Oh, and don't forget, M$ Linux will be out in a year or so.... I'm sure we'll see IE for Linux at that time.
"WHOA! I just saw a Windows 2000 system that was still running BOHTTPD even after Netscape had been apparently terminated. Even the "Task Manager" showed no trace." Thats very interesting.
Liberty.
What does Opera have to do with Netscape's browser costing anything?
Netscape had it's laughable "personal priced" version for a few years ($49.95) and managed to suck in a few thousandths of a percent of Netscape users into paying fees, then repealed that a couple of years ago. It also retail boxes the browser, just as M$ does. It doesn't change the fact that both browsers have been available for FREE DOWNLOAD since they were created, with no features disabled or limited.
I doubt it, as I've not had much luck running ANY java apps under Netscape/Linux.
The Web is like Usenet, but
the elephants are untrained.
Who's hiding? Some of us have the bag to post without being an AC.
---
Slashdot: News For Zealots. Stuff That's Hypocritical.