1995-10-23 - Re: Netscape Logic Bomb detailed by IETF

Header Data

From: “Josh M. Osborne” <stripes@va.pubnix.com>
To: fc@all.net (Dr. Frederick B. Cohen)
Message Hash: acac3204831aae5a30da01c97639b78fa67d78f2b1e9f2f81c7ca5820a2df8d5
Message ID: <LAA19345.199510231500@garotte.va.pubnix.com>
Reply To: <9510231413.AA26514@all.net>
UTC Datetime: 1995-10-23 15:01:02 UTC
Raw Date: Mon, 23 Oct 95 08:01:02 PDT

Raw message

From: "Josh M. Osborne" <stripes@va.pubnix.com>
Date: Mon, 23 Oct 95 08:01:02 PDT
To: fc@all.net (Dr. Frederick B. Cohen)
Subject: Re: Netscape Logic Bomb detailed by IETF
In-Reply-To: <9510231413.AA26514@all.net>
Message-ID: <LAA19345.199510231500@garotte.va.pubnix.com>
MIME-Version: 1.0
Content-Type: text/plain


In message <9510231413.AA26514@all.net>, Dr. Frederick B. Cohen writes:
[...]
>I strongly disagree.  If Netscape provided a way to execute shell
>commands on your host from a remote computer, it would certainly be a
>hole created by their product.  The fact that the default shell is
>potentially dangerous means it's incumbant on those who provide access
>to it to provide adequate protection.

They do, add:

application/x-shell; sh %s

to your .mailcap.

They had better stop supporting mailcap alltogether, after all *any*
of the programs in there could have buffer overflows, or other
security problems.  I'll bet some of them even do, anyone want to
see if sox (a program that transforms sound files from format to
format - frequently used to convert .wav files to .au files) has
any overruns in the chunk handling code?

>If Netscape wants to claim their product doesn't degrade security, they
>should provide a safe postscript interpreter or not provide hooks to
>unsafe ones.

Sure, and they had better find a way to keep us from editing the binary
and adding whatever insecure features we may want to their program.

obcrypto: mabie it would be a good idea for programs to list problems that
are beoynd their control.  To many people it may be supprising that anything
in their .mailcap could hurt them.  To others it is hardly a shock and seeing
alot of messages about it tends to get rather boreing, esp. as a few people
jump up and down and yell about the Danger To Us All...





Thread