[Previous] [Next] [Index]
[Thread]
No Subject
SECURITY IN 2.02
* Summary Technical Background (includes 2.01 fixes):
Netscape has implemented fixes to the portions of our software
containing the following problems and reviewed them with outside
experts.
+ JavaScript will now be correctly limited from listing the
file names of a directory and limited from automatically
posting mail and news.
+ JavaScript problems have been fixed relating to
document.close() and semiautomatic file upload.
+ Netscape has also improved the safety of URL parsing by
disallowing gopher connections to non-standard ports and by
searching for new line characters in gopher URL strings and
stopping URLs containing such characters from being executed.
+ The document information window now provides security
information for pages from memory cache.
+ Java problems have been fixed relating to the Princeton class
loader attack, access to DNS behind a firewall, and
showDocument().
* Relating to JavaScript:
A user's email addresses could have been inadvertently exposed to
individuals without the user knowing it, compromising the user's
privacy. Netscape Navigator 2.02 solves this privacy problem by
limiting JavaScript's ability to automatically post mail or news
from form elements. This ensures that user interaction is required
to send mail or post news messages.
Another feature of JavaScript is the ability for a server script
to list files and directories. Due to an implementation problem in
Netscape Navigator 2.0, a privacy concern existed because it was
possible for a server script to access the listing of local file
names and directories on the user's machine. This problem did not
allow the server to see the contents of any local files or modify
local files in any way. Navigator 2.02 fixes this problem by
refusing to allow a script from a server to view file names and
directory listings from the local user's machine.
Also: The document.close() method now works properly. Fixes have
been added to prevent semi-automatic file uploads.
* Relating to Java:
A problem has been fixed where, previously, under some
circumstances the ClassLoader allowed derived classes access to
native methods.
At sites where the firewall prevents DNS info from passing onto
their intranet, Navigator was failing to load applets (Java
exception was thrown). The fix allows the applet to load, but then
prevents the applet from trying to make a socket connection to its
"home" host (since the IP address was not pre-verified).
A problem has been fixed where showDocument() malfunctioned when a
server provided a location redirect to an alternate.
* Relating to Ports:
2.02 fixes a problem where it was possible for a Gopher URL to be
used to send commands to ports other than those that were
reasonable for the Gopher service. It was possible that this
feature could be used to exploit other security vulnerabilities
behind firewalls. Navigator 2.02 fixes this problem by limiting
the ports that a Gopher URL can access and by disallowing certain
control characters in a valid Gopher URL.
* Relating to General Security:
The document information windows now provides security information
for all pages, including pages retrieved from the memory cache.
Previously, when you viewed document info from pages retrieved
from memory cache, you saw "Security: Unknown".
* Relating to Cache and Date Calculations Across Timezones:
The Navigator is able to correctly compare the age of a document
on the server with the corresponding document in your cache, even
if the documents are in different time zones or on oppposite sides
of a daylight savings / standard time boundary.
In other words, the reload button works, now. You will see the
lastest copy of the document when you hit reload.