[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
In case you haven't heard about how people are reacting to the security
issues, here is some recent information.
David F. Andrade University of Washington
---------- Forwarded message ----------
Date: Fri, 1 Mar 1996 15:07:16 +0100
From: Lincoln Stein <firstname.lastname@example.org>
Cc: email@example.com, Eric Hammond <firstname.lastname@example.org>,
Malcolm Humes <email@example.com>, Jeff Weinstein <firstname.lastname@example.org>,
There's been some confusion regarding what security problems do and
2.0, and unfortunately the WWW Security FAQ was not entirely clear
(because I wasn't entirely clear...). Some of these holes were
present only in beta versions of Netscape. Others are still with us.
Here's the current list of security holes and their status:
1) Read user's history -- fixed in 2.0
2) Read user's URL cache -- fixed in 2.0
3) Forge e-mail/steal e-mail address - STILL PRESENT IN 2.0
4) Recursively list local disks - STILL PRESENT IN 2.0
5) Open 1 pixel window and log all URL accesses - STILL PRESENT IN 2.0
I am enclosing the current draft of this section of the FAQ for user
comment. Please let me know of any inaccuracies you find in this
section. Thank you all for your input.
Netscape Navigator 2.0. It allows many types of private information to be
included in data submitted to remote sites by fill-out forms, without the
consent, or even the knowledge of the user. For example, a recently
address from Netscape's preferences dialog and send it across the Internet.
John Robert LoVerso (email@example.com) has discovered another bug in
the user's browsing activity, capture the URLs of open documents, and
transmit them to a remote server. A demonstration is available at:
To defeat this type of attack, you must be on the lookout for scripts that
pop up new windows that don't seem to be doing anything. Close them
immediately. Note that the windows may be quite small: a 1x1 pixel window
may be almost invisible.
the user's local disk and any network disks that happen to be mounted. This
information can be transmitted anywhere in the Internet. See
for a demonstration.
If you happen to be using any beta version of Netscape 2.0, stop
allow the user's history and cache files (both of which contain lists of
recently-visited URLs) to be captured. See
for more details.
be more lurking. The safest course at this point is to use Netscape 1.1 or
another vendor's browser. Turning off Java in the Security Preferences
it may provide an "off" button in Netscape 2.1.
mailing list software, please send a message to 'firstname.lastname@example.org'
with the message body 'help'. To unsubscribe, send a message to