1995-09-19 - Re: NYT on Netscape Crack

Header Data

From: Ray Cromwell <rjc@clark.net>
To: perry@piermont.com
Message Hash: a65983d0835edb6413177866afcc5e2b1307f6bf464ca5ecaffbdf60ca31d8c9
Message ID: <199509190703.DAA03247@clark.net>
Reply To: <199509190355.XAA01329@frankenstein.piermont.com>
UTC Datetime: 1995-09-19 07:03:38 UTC
Raw Date: Tue, 19 Sep 95 00:03:38 PDT

Raw message

From: Ray Cromwell <rjc@clark.net>
Date: Tue, 19 Sep 95 00:03:38 PDT
To: perry@piermont.com
Subject: Re: NYT on Netscape Crack
In-Reply-To: <199509190355.XAA01329@frankenstein.piermont.com>
Message-ID: <199509190703.DAA03247@clark.net>
MIME-Version: 1.0
Content-Type: text/plain



> 
> I suspect that there are far more flaws in Netscape. String buffer
> overflows are another good guess here -- they are probably rampant
> through the code both for the browser and the commerce server they
> sell. I can't prove it myself, of course, given that I don't have the
> time to rip the thing apart, but the same folks never seemed to learn
> their lesson in release after release when they worked at NCSA, and
> the only thing thats probably keeping their dignity here is the lack
> of distributed source code.

  I doubt this in the case of the browser. Atleast as far as the
parsing is concerned. There may be a buffer overflow for example,
when you input the url in the "open" window, but that has to be
done manually by the user and isn't a threat, like a "rogue homepage"
would be. The reason I doubt string buffer overflows in the case of
the browser is that it seems to be written in some object oriented
language, perhaps C++ (or maybe just oo-C like BSAFE). Once you
have a general robust String class, you can prove it's non-overflowable,
and therefore no composition of operations from the browser code will
overflow it (unless of course, you break language safety by using
casts and pointer manipulation) Secondly, Netscape has been very
robust in my own testing against these common bugs. One of the things
I've done lately is "tiger team" attacks against servers and browsers.
(of course, sendmail is a brilliant counter example)
(if you can find a call to gets() in Netscape, I will instantly 
retreat ;-) )

  Netscape's security maybe bad, but the rest of their browser, or atleast
their development process, is good engineering. They've built a very
complex application, fairly quickly, that runs with very few bugs,
across a wide variety of operating systems and GUI's, while maintaining
a consistent user interface and feature set. Netscape 2.0 incorporated
Java, LiveObjects, and more HTML3.0 in almost record time. (I wasn't
expecting a Java capable Netscape until atleast December). I'd like to
see Microsoft develop a piece of code that quickly that runs on
umteen different flabors of Unix, MacOS, and Win3.1/95/NT. Hell, they
can't even write code that runs smoothly across all three
flavors of their operating system.

-Ray


 
   






Thread