From: “Jeff Weinstein” <jsw@netscape.com>
To: cypherpunks@toad.com
Message Hash: 54cd9fe09ec3085c012a14a090502f582968618ee05dc1927071172090b31a9b
Message ID: <9509251617.ZM167@tofuhut>
Reply To: N/A
UTC Datetime: 1995-09-25 23:20:41 UTC
Raw Date: Mon, 25 Sep 95 16:20:41 PDT
From: "Jeff Weinstein" <jsw@netscape.com>
Date: Mon, 25 Sep 95 16:20:41 PDT
To: cypherpunks@toad.com
Subject: Security Update news release
Message-ID: <9509251617.ZM167@tofuhut>
MIME-Version: 1.0
Content-Type: text/plain
Here is the press release we put out this morning regarding the fix
for RNG seed and stack overflow problems.
--Jeff
BETA VERSIONS OF NETSCAPE SECURITY UPDATE TO BE AVAILABLE WEDNESDAY FOR
FREE DOWNLOADING
Company Puts New Code on Net for Examination;
Outside Security Experts Reviewing Software
MOUNTAIN VIEW, Calif. (September 25, 1995) -- Netscape Communications
Corporation (NASDAQ: NSCP) today announced that it has completed beta
versions of the security update for its client and server software and will
post the new software for free downloading from the Internet on Wednesday,
September 27. The beta versions of the software updates, being posted
following a review by internal and outside experts, are in response to the
potential vulnerability in the company's security implementation discovered
last weekend by two University of California at Berkeley students. In
addition, Netscape is taking the opportunity to include other improvements
with this update.
Netscape addressed the potential vulnerability by increasing the amount of
random information it uses to seed the random number generator in its
security implementation. In Netscape's security approach, the random
number generated is used in a mathematical formula to create a "session
key" for encrypting information to be sent across the Internet. The new
solution uses many times more random information than the previous version,
ensuring much greater degrees of difficulty in identifying the key used to
encrypt a particular session. The solution is also now assembled in a
platform-dependent manner which, when combined with the increase in random
information, makes Netscape's products substantially more secure than
before the update.
Netscape's source code that will be used to address the potential
vulnerability has already been posted on the Internet so that it can be
reviewed by anyone wishing to do so. This technique is often used in the
development of security software to ensure the highest level of inspection
possible before the final software is made available to customers. The
code is also being reviewed by external security experts retained by
Netscape and various Netscape platform partners with expertise in specific
operating system environments to provide additional checks on the soundness
of Netscape's approach.
"We have always encouraged users to provide feedback on new versions of our
software, and our posting of this security source code on the Internet is a
natural extension of that approach," said Mike Homer, vice president of
marketing at Netscape. "We plan to continue to use the Internet to test
new software versions, as we will shortly with the beta version of our
newly announced Netscape Navigator 2.0. We expect that this kind of open
review will help us continue to create products of the highest quality."
Netscape is using the opportunity of this week's beta releases to also
update other portions of its software, addressing such issues as
domain-name limitations in international versions of Netscape Navigator
and potential stack overflow conditions. Netscape is also placing the beta
versions of the security updates for its Netscape servers on the Internet
for free download by customers.
"We process hundreds of customer orders daily using Netscape software.
Netscape's commitment to excellence as evidenced by the company's immediate
action in response to reported vulnerabilities is one of the many reasons
Internet Shopping Network has chosen Netscape products for conducting
Internet commerce," said Randy Adams, president of Internet Shopping
Network. "We have built a multi-million dollar business on the Internet
using Netscape products and they are a major factor in our success."
The beta versions of the updated software -- Netscape Navigator 1.2.1b for
Windows, Netscape Navigator 1.1.1b for Macintosh and UNIX, Netscape
Commerce Server 1.1.1b, and Netscape Proxy Server 1.1.1b -- will be
available on Wednesday for downloading from Netscape's home page at
http://home.netscape.com. All Netscape users are encouraged to download
the new versions as soon as possible to ensure they are using the most
up-to-date security software from Netscape. Final versions of the updates
will be posted after all testing is complete.
Netscape Communications Corporation is a premier provider of open software
to enable people and companies to exchange information and conduct commerce
over the Internet and other global networks. The company was founded in
April 1994 by Dr. James H. Clark, founder of Silicon Graphics, Inc., a
Fortune 500 computer systems company; and Marc Andreessen, creator of the
NCSA Mosaic research prototype for the Internet. Traded on Nasdaq under
the symbol "NSCP", Netscape Communications Corporation is based in Mountain
View, California.
###
Additional information on Netscape Communications Corporation is available
on the Internet at http://home.netscape.com, by sending email to
info@netscape.com or by calling 415-528-2555.
Netscape Communications, the Netscape Communications logo, Netscape,
Netscape Navigator, Netscape Commerce Server and Netscape Proxy Server are
trademarks of Netscape Communications Corporation. All other product names
are trademarks of their respective companies.
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
We issued the following news release this morning:
----------------------
FOR IMMEDIATE RELEASE
BETA VERSIONS OF NETSCAPE SECURITY UPDATE TO BE AVAILABLE WEDNESDAY FOR
FREE DOWNLOADING
Company Puts New Code on Net for Examination;
Outside Security Experts Reviewing Software
MOUNTAIN VIEW, Calif. (September 25, 1995) -- Netscape Communications
Corporation (NASDAQ: NSCP) today announced that it has completed beta
versions of the security update for its client and server software and will
post the new software for free downloading from the Internet on Wednesday,
September 27. The beta versions of the software updates, being posted
following a review by internal and outside experts, are in response to the
potential vulnerability in the company's security implementation discovered
last weekend by two University of California at Berkeley students. In
addition, Netscape is taking the opportunity to include other improvements
with this update.
Netscape addressed the potential vulnerability by increasing the amount of
random information it uses to seed the random number generator in its
security implementation. In Netscape's security approach, the random
number generated is used in a mathematical formula to create a "session
key" for encrypting information to be sent across the Internet. The new
solution uses many times more random information than the previous version,
ensuring much greater degrees of difficulty in identifying the key used to
encrypt a particular session. The solution is also now assembled in a
platform-dependent manner which, when combined with the increase in random
information, makes Netscape's products substantially more secure than
before the update.
Netscape's source code that will be used to address the potential
vulnerability has already been posted on the Internet so that it can be
reviewed by anyone wishing to do so. This technique is often used in the
development of security software to ensure the highest level of inspection
possible before the final software is made available to customers. The
code is also being reviewed by external security experts retained by
Netscape and various Netscape platform partners with expertise in specific
operating system environments to provide additional checks on the soundness
of Netscape's approach.
"We have always encouraged users to provide feedback on new versions of our
software, and our posting of this security source code on the Internet is a
natural extension of that approach," said Mike Homer, vice president of
marketing at Netscape. "We plan to continue to use the Internet to test
new software versions, as we will shortly with the beta version of our
newly announced Netscape Navigator 2.0. We expect that this kind of open
review will help us continue to create products of the highest quality."
Netscape is using the opportunity of this week's beta releases to also
update other portions of its software, addressing such issues as
domain-name limitations in international versions of Netscape Navigator
and potential stack overflow conditions. Netscape is also placing the beta
versions of the security updates for its Netscape servers on the Internet
for free download by customers.
"We process hundreds of customer orders daily using Netscape software.
Netscape's commitment to excellence as evidenced by the company's immediate
action in response to reported vulnerabilities is one of the many reasons
Internet Shopping Network has chosen Netscape products for conducting
Internet commerce," said Randy Adams, president of Internet Shopping
Network. "We have built a multi-million dollar business on the Internet
using Netscape products and they are a major factor in our success."
The beta versions of the updated software -- Netscape Navigator 1.2.1b for
Windows, Netscape Navigator 1.1.1b for Macintosh and UNIX, Netscape
Commerce Server 1.1.1b, and Netscape Proxy Server 1.1.1b -- will be
available on Wednesday for downloading from Netscape's home page at
http://home.netscape.com. All Netscape users are encouraged to download
the new versions as soon as possible to ensure they are using the most
up-to-date security software from Netscape. Final versions of the updates
will be posted after all testing is complete.
Netscape Communications Corporation is a premier provider of open software
to enable people and companies to exchange information and conduct commerce
over the Internet and other global networks. The company was founded in
April 1994 by Dr. James H. Clark, founder of Silicon Graphics, Inc., a
Fortune 500 computer systems company; and Marc Andreessen, creator of the
NCSA Mosaic research prototype for the Internet. Traded on Nasdaq under
the symbol "NSCP", Netscape Communications Corporation is based in Mountain
View, California.
###
Additional information on Netscape Communications Corporation is available
on the Internet at http://home.netscape.com, by sending email to
info@netscape.com or by calling 415-528-2555.
Netscape Communications, the Netscape Communications logo, Netscape,
Netscape Navigator, Netscape Commerce Server and Netscape Proxy Server are
trademarks of Netscape Communications Corporation. All other product names
are trademarks of their respective companies.
Rosanne M. Siino
Director of Corporate Communications
Netscape Communications Corp.
415-528-2619
Return to September 1995
Return to ““Jeff Weinstein” <jsw@netscape.com>”