[81788] in Cypherpunks

home help back first fref pref prev next nref lref last post

Re: Impact of Netscape kernel hole

daemon@ATHENA.MIT.EDU (Igor Chudov @ home)
Fri Jun 13 23:29:00 1997

To: tomw@netscape.com (Tom Weinstein)
Date: Fri, 13 Jun 1997 21:32:04 -0500 (CDT)
Cc: jya@pipeline.com, cypherpunks@toad.com
In-Reply-To: <33A1F574.42D6AD6A@netscape.com> from "Tom Weinstein" at Jun 13, 97 06:35:48 pm
From: ichudov@algebra.com (Igor Chudov @ home)
Reply-To: ichudov@algebra.com (Igor Chudov @ home)

Tom Weinstein wrote:
> John Young wrote:
> > 
> > Still, it would be good to know if a Netscape snooper could snarf a
> > key while it is being used by PGP to decrypt, that is, whether the
> > hole allows snooping on dynamic ops or just on stored info.
> > 
> > Does anyone know if the the hole finders are discussing this on the
> > Net, and if so, where? What are the folks at Netscape saying? Tom,
> > Jeff?
> 
> We aren't talking about it much.  We've released some information to
> the press and posted a release on our web site.
> 
> This attack can be used to grab any file from the user's hard drive,
> provided you know the file name and path.  It exploits a bug in the
> way forms are handled.  You can guard against this attack by turning
> on the warning dialog for submitting a form over an insecure connection.
> 
> We have a fix which we are testing now, and we'll have it out early next
> week for 4.0.  A fix for 3.x will follow once we have 4.0 fixed.


Tom, are you going to release the linux version of netscape, 
and when.

Thank you very much.

	- Igor.


home help back first fref pref prev next nref lref last post