(A Javascript-enabled browser is required to email me.)

TBTF for 1995-09-27: Nutscape cracked again

Keith Dawson (dawson dot tbtf at gmail dot com)
Wed, 27 Sep 1995 01:20:00 -0400

The following correspondence, anonymized and already much forwarded, came
my way this morning at 11:46. The story of the third crack discovered in
Netscape in the last month ran in today's Wall Street Journal and was pick-
ed up by Edupage. The reported problem may not be limited to Netscape, but
could exist in other web browsers that support the mailto: tag (which is
most of them except MacWeb/WinWeb).

This flaw does not represent a threat to encrypted transactions; rather it
is a security hole through which a miscreant (love that word) could cause
the execution of an arbitrary program, script, or command on a client ma-
chine. (Rather like the mail-attachment, right-button boo-boo in Windows 95/
MSN that Microsoft has been dismissing a lot of late.)

>> mailto: hyperlinks containing extra-long domain names
>> seem to be handled comparatively safely in both Netscape and Mosaic.
>> (Perhaps they just have longer buffers ? ;)

> My guess is, Netscape doesn't do any processing on the
> mailto: hyperlink at all, but merely passes it to a real mail delivery
> agent like Sendmail (or it uses MAPI under Win'95). Which begs
> the question, if Netscape is executing an external delivery agent,
> there may be the possiblity of sneaking an attack in there and getting
> the shell to execute something.
> Hmm, let me try something . . .
> WOW!! Unbelievable! Stop the presses! I Can't believe no one ever
> discovered this before! Try a page with the following URL
> <a href="mailto:blah at foo dot com|xterm&"> test </a>
> Muahaha! Yet another security hole! Clicking on this mailto brings up
> an xterm on my machine! Simply change the xterm& to "rm -rf /" and
> bingo!
> Sheesh. I better stop before I am on Netscape's most hated list.

The "Muahaha" lends a nice tone. Obviously this correspondent has not
seen <http://www.c2.org/hacknetscape/>, a contest sponsored by Berkeley
ISP Community Connexion (with web site and prize tee shirt designed by
Eye Candy). The tee shirt is to die for. Thanks to bill@atria.com for
this one:

> Hack Netscape and win a T-shirt! Yes, expose security flaws in the
> most widely used commercial WWW software and you too can have your
> very own limited edition T-shirt, awarded only to people who have
> exposed security holes in Netscape internet products or managed
> widely publicized Netscape cracking events.

When I learn the identity of the two anonymous correspondents above I'll
let you know.


Sounds so much nicer than "correction," don't you think? Karyn German,
TIA product manager at Cyberspace Development, wrote to correct a mis-
impression from my List Hijacking piece in TBTF for 1995-09-24 (see
<1995-09-24.html>). The Majordomo
mailing list at CyberDev has never been open to posting by outsiders --
so my posited evil marketing genius could steal the list, but could not
make CyberDev pay for his use of it. Majordomo in fact offers a number
of such security knobs, as I assume the other list servers do. My point
was that Net oldtimers may not have been tweaking them, so far... but
they will.

The hijacker hijacked:

Karl Hakkarainen sent me a mailing originating from Atria Software,
Inc. -- in fact from just down the hall from my office. The announce-
ment of a seminar displayed what appeared to be Atria's entire New
England mailing list in its "To:" field. Thanks, Karl, the sender has
now been requested to use the "Bcc:" field in future.

>>From WEBster (1995-09-19):

Microport introduced the NetMark 1000 at Unix Expo. It is a complete,
out-of-the-box Web server solution including hardware, ready to plug
into a LAN and/or an Internet access provider. Based on a Pentium PC
with two Ethernet ports, an external SCSI port, and a CD-ROM drive,
the server runs Novell (soon to be SCO) UnixWare. Preinstalled are a
full suite of TCP/IP applications including news, mail, gopher, and a
Web server that seems to be based on NCSA/UIUC, as well as web author-
ing tools. Prices start at $6,800. Microport is positioning the NetMark
1000 as a quick way for companies to bring up a Web presence for either
internal or external information serving. For more details see the WEB-
ster story at <http://www.tgc.com/websec/20454.html>. I checked the Mi-
croport Web site, <http://www.mport.com/>, and it is remarkably content

Sun, SGI, DEC, and others have been selling out-of-the-box, hardware/
software web-server solutions for some time now; Microport's offering
represents the first such that I am aware of priced significantly below

>>From the Internet Patent News Service (1995-09-05):

Finally, some numbers on the growth of software patents since 1971,
courtesy of the indispensible Greg Aharonian. Total patents have risen
on a leisurely straight line, doubling in number over the past 25 years.
Software patents have been on a clear exponential uptrend. For the data
set and a graph see <sw-patents.html>.
Greg claims that there has been no statistically significant change in
the quality and process of handling software patents since the Compton's
debacle. He says that "Knuth is digging a grave just to have something
to roll over in."


>>Edupage -- mail listproc@educom.edu without subject
> and with message: subscribe edupage <your name> .

>>WEBster -- send mail without text to 4free@webster.tgc.com .

>>Internet Patent News Service -- mail patents@world.std.com
> with message: help .

TBTF alerts you twice a week to bellwethers in computer and communications
technology, with special attention to commerce on the Internet. See the
archive at <http://www.tbtf.com/>. To subscribe send the
message "subscribe" to tbtf-request@world.std.com.
Keith Dawson dawson dot tbtf at gmail dot com dawson@atria.com
Layer of ash separates morning and evening milk.