From: jsw@neon.netscape.com (Jeff Weinstein)
Date: Tue, 26 Sep 95 15:22:07 PDT
To: cypherpunks@toad.com
Subject: Re: WSJ on Netscape Hole 3
In-Reply-To: <Pine.SUN.3.91.950925182134.14756E-100000@thrash.src.umd.edu>
Message-ID: <449ucq$f5d@tera.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain


In article <199509252300.QAA29812@infinity.c2.org>, sameer@c2.org (sameer) writes:
> 	He's -asking- for an exploit. Tshirts to Ray and the person who
> does the exploit, if it gets written. Maybe I should just ring up 8lgm and
> have them do one.
> 
> 
> > 
> > On Mon, 25 Sep 1995, John Young wrote:
> > 
> > >    The Wall Street Journal, September 25, 1995, p. B12.
> > 
> > >    Marc Andreessen, vice president of technology at Netscape,
> > >    said the company will issue fixes for the recent glitches
> > >    later this week. He added that it's unclear whether
> > >    anything other than temporarily crashing a user's computer
> > >    could result trom the recent flaw. 
> > 
> > Oh Marc, you didn't really want to say that, did you?
> > 
> > -Thomas
> > 

  I asked Marc about this one, since it bothered me too.  Apparently
Jared asked Marc if he was aware of specific examples of how this bug
might be exploited.  Marc replied that we had not seen anything
other than what was already posted on cypherpunks.

  Since the original article did not use quotes, I assume that what
was written was a paraphrase, and as such it has been interpreted
by the author.

  That said, we take this problem seriously, and have
taken steps to fix it.  The patch that will be released tomorrow
will include fixes for this buffer overflow, and others that we
found during a review of all of our code.  I think it would be
more constructive to pound on the new version than one that is
known to be busted, and will be patched by tomorrow.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.