Hacker finds hole in Netscape!

[DIABOLIK]

Security expert Dan Brumleve has found a gaping hole in Netscape
Communicator.

Brumleve, who discovered the "Cache Cow" flaw and its progeny in 1998,has created a pernicious Java applet he calls "Brown Orifice," which provides Internet access to a user's local files.

Exploiting problems in Netscape's implementation of Java, Brumleve's applet running on a Netscape browser turns a computer into a file server; it delivers files on the computer's hard drive to anyone on the Internet.

"This is potentially one of the worst things that can happen in browser security," Brumleve said of Brown Orifice, which is named after the infamous hacker utility Back Orifice.

He explained that the applet could be embedded in any Web page; if a surfer accesses the page using a Netscape browser, the applet will run in the background, surreptitiously providing access to the computer's files. Worse, the applet can be initiated through email messages that are read on Netscape Mail, Brumleve said.

"Somebody can send you a hostile mail message, and you can send them back all the data on your computer. So this is certainly enough to cause a catastrophe," Brumleve said, comparing the applet to the Melissa virus.

Using the test link Brumleve provided on his website announcing the hole, Wired News was able to corroborate Brumleve's claims. The applet, running on Communicator 4.74 on a Windows 98 PC, provided full access to the PC's files; it persisted until Communicator was shut down.

Brumleve said that the applet would run on versions 4.5 to 4.7 of Netscape Communicator, on Windows-based, and Linux-based computers.

Netscape officials said that they are aware of the problem, and that engineers are working on a fix.

"We plan to make a patch available, but in the interim, users can protect themselves by simply turning off Java," said Andrew Weinstein, a spokesman for the company.

To turn off Java, a Netscape user should click on the "Edit" menu,choose "Preferences," and then choose the "Advanced" option. Then, users should make sure that the "Enable Java" option is not checked.

Weinstein added that in a few months, the company will release version 6 of its browser, which is not vulnerable to the security hole. Preview Release 2 of Netscape 6, which does not contain the vulnerability, is available now at the company's website.

Some in the hacker community speculated on Brown Orifice's
non-malicious uses. The applet can be easily used as a Napster-like file sharing utility, Brumleve said, giving a community of users access to files on each other's computers.

Brumleve spent Saturday at a San Francisco Internet cafe showing off Brown Orifice and said many people there were using it for file-trading purposes.

Brumleve discovered the bug in Netscape while "messing around" with Java last week. He said that once he realized the flaw, "it didn't take very long to find out how to make the program. I was surprised that nobody has done it until now."

Since developing the applet, Brumleve's site has received more than 200,000 hits, and thousands of people have downloaded the Brown Orifice source code.

Brumleve's applet exploits two different flaws in Java, he said. One is specific to the Java language: This hole "allows Java to open a server that can be accessed by arbitrary clients," Brumleve wrote on his site.

The second hole is more dangerous, and is only found in Netscape: It "allows Java to access arbitrary URLs, including local files."

"At this point it's very unsafe to run Netscape Mail, or even use Netscape as a browser on untrusted sites," Brumleve said.

[Speedo]

Da, oricum nu ma asteptam la ceva bun de la Netscape, ca tot nu mai au bani acum pentru dezvoltare.

Greets,
Speedo

[razvi]

http://www.microsoft.com/technet/sec...n/ms01-020.asp

[DIABOLIK]

Your computer may not be protected against a recently discovered and dangerous security hole -- despite all claims to the contrary from Microsoft.

Microsoft released an urgent security warning on Friday, detailing a hole in Internet Explorer that allows attackers to remotely access and control any computer running any version of the Windows operating system and Internet Explorer Versions 5 and 5.5.

But many users who attempted to download the security patch over the weekend reported receiving a message during installation that, "This update does not need to be installed on this system."

Microsoft officials say the message is an error and urges everyone who received it during an attempted installation of the security patch to return to the company website, download either Microsoft Internet Explorer 5.01 or Microsoft Internet Explorer 5.5, and then reinstall the patch.

"If the patch is installed on a system running a version of IE other than the ones it is designed for, an error message will be displayed saying that the patch is not needed," Microsoft officials posted on the site on Sunday. "This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches.

Microsoft said users can verify the patch has actually been installed on their machine by opening Internet Explorer, selecting "Help," then selecting "About Internet Explorer." If the patch has been properly installed, the code "Q290108" should be listed in the Update Versions field.

Only those running Internet Explorer 5.01 Service Pack 2 do not need to install the patch. The security flaw can probably affect many older versions of Explorer, but Microsoft said that previous versions of Explorer are "no longer supported, have not been tested and may or may not be affected by this vulnerability."

Microsoft's initial documentation for the patch did state that the patch would work only with IE versions 5.01 and 5.5.

But some users may not have read the entire help file. Others who didn't know what version of Explorer they were using attempted to install the patch and then assumed their machine was protected upon receiving the erroneous message from Microsoft.

"When I tried running the patch, I got a dialog box with the message,'This update does not need to be installed on this system,' one user wrote in an e-mail. "I've got no idea how that can be, if this is a newly identified problem and a newly released patch."

"Do you know how it could be that I don't need the update?"

Others, sensing the message was incorrect, said they had searched Microsoft's support pages but found no answers. Many also e-mailed to find out if there was any way that they could override the "You Don't Need This" message.

They are right to worry. Microsoft has designated this security patch as critical: Unpatched browsers can act as a virtual open door into a computer system, allowing a cracker complete control over the affected machine.

A machine can be attacked using a specially scripted HTML-formatted e-mail with an attachment or through a file placed on a Web page.

IE's programming code has a flaw that cannot process certain MIME(Multipurpose Internet Mail Extensions) headers. MIME is a common method of transmitting non-text files by e-mail -- it encodes the files and then decodes the file back to its original format, and contains instructions about how to handle the specific file.

A file or e-mail with faked headers can force IE to assume it's dealing with a "safe" multimedia file, so it will automatically open and install any designated small program or e-mail attachment without the computer user's permission.

When placed on a website, a file with those faked headers will automatically download and install a remote-control program on a user's computer when the user -- perhaps lured there by an e-mail promising free sex, free downloads, free anything -- simply views the website that harbors the file, said Web designer John Vander.

If e-mailed, the attachment will open and install itself.

Outlook users normally need to open an e-mail containing an attachment and then double-click on the attachment to open or install the contents. But all Microsoft programs allow Internet Explorer to handle all HTML-formatted files, assuming that those files are actually a Web page.

Examples showing exactly how this exploit works are available on Juan Carlos Cuartango's website. Cuartango is a white hat hacker in Spain who discovered the flaw and alerted Microsoft.

Cuartango's documentation shows how this vulnerability can enable an attacker to do anything that the user can, including examining, adding, changing or deleting data or reformatting the hard drive.

Scott Culp, Microsoft's security program manager, said on Friday that the flaw exists only with a few out of several hundred MIMEs that are used to encode files as e-mail attachments.

Culp said the problem is a "typical software error," and said he was thankful it had been discovered and patched before it could be used to spread viruses.

"That's the best situation we can hope for, short of perfect
software," Culp said.

Security experts believe it won't be long before the hole is widely
exploited.

"Now that the information is out there, people will be trying this
exploit to see what they can do with it," said Jerry Adams of TechServ, a corporate computer support and security firm. "People need to apply that patch now."