[Previous] [Next] [Index]
[Thread]
Netscape vulnerability matrix
It would be really helpful if someone from Netscape could correct this
matrix and get it out somewhere public & keep it up to date. It's getting
confusing to keep these straight, and advise people. Maybe this is all
buried in some release notes somewhere, but that's not a very easy way to
get at it when there are 3 platforms*2 current versions/platform*3-4
current vulnerabilities (and then one or two betas/platform active at any
given time).
If this is already out there somewhere, sorry. Just point me to it.
Dave
WARNING: THIS PROBABLY NOT RIGHT. IT'S A ROUGH GUESS.
Java (applets make connections to arbitrary hosts)
Mac 2.0, prior 2.0 betas, 2.0X. 1.22?, 1.N - not vulnerable
Mac 2.0JavaBeta (what's the exact #?) - vulnerable - replace with 2.0X
Windows 2.0, prior 2.0 betas (exact #, plz) - vulnerable - disable
java, upgrade
to 2.0X or step back to 1.22
Windows 2.0x - not vulnerable
UNIX 2.0 etc. etc.
JavaScript (browser will give out email address, directory names, URL cache?)
Mac 2.0x, 1.22, 1.0N - not vulnerable
Mac 2.0, prior 2.0 betas - vulnerable - upgrade to 2.0X or revert
to 1.22
Mac 2.0JavaBeta (what's the #?) - vulnerable
Windows 2.0x, 1.?? - not vulnerable
Windows 2.0, prior 2.0 betas - vulnerable - upgrade to 2.0x, revert
to 1.22
UNIX ??
Magic Cookies (maybe that's the source of divulging the URL cache and
directories?)
etc.
etc.
Insufficient randomness in key generation
Mac 1.0N - vulnerable - upgrade to 2.0X
etc.
etc.
WARNING: THIS PROBABLY NOT RIGHT. IT'S A ROUGH GUESS.
---------------------------------------------------------
Dave Millar University Information Security Officer
University of Pennsylvania
For security matters: security@isc.upenn.edu (read by Data Admin. staff)
Other matters: millar@isc.upenn.edu
voice: (215) 898-2172
fax: (215) 898-0386
For PGP 2.6 Public key: http://www.upenn.edu/security-privacy/
PGP Fingerprint: 28 FB 09 DC C7 96 C2 53 1A B8 BE 3B 73 32 46 4C