1997-06-17 - More about Netscape Bug finder

Header Data

From: Robert Hettinga <rah@shipwright.com>
To: cypherpunks@toad.com
Message Hash: 6dc44947f9e6f021150c2d0a921b9776b9319b1cbc4cfad2b5d2c29c9f4652a3
Message ID: <v030209a4afcb8c31bbc6@[139.167.130.246]>
Reply To: N/A
UTC Datetime: 1997-06-17 02:55:50 UTC
Raw Date: Tue, 17 Jun 1997 10:55:50 +0800

Raw message

From: Robert Hettinga <rah@shipwright.com>
Date: Tue, 17 Jun 1997 10:55:50 +0800
To: cypherpunks@toad.com
Subject: More about Netscape Bug finder
Message-ID: <v030209a4afcb8c31bbc6@[139.167.130.246]>
MIME-Version: 1.0
Content-Type: text/plain




--- begin forwarded text


Date: Mon, 16 Jun 1997 18:24:32 -0500
From: Bill GL Stafford <springco@arn.net>
Organization: Spring Management Company
MIME-Version: 1.0
To: "dcsb@ai.mit.edu" <dcsb@ai.mit.edu>
Subject: More about Netscape Bug finder
X-Priority: 3 (Normal)
Sender: bounce-dcsb@ai.mit.edu
Precedence: bulk
Reply-To: Bill GL Stafford <springco@arn.net>

  Christian Orellana, gambled $1000 and lost.  Not the worst thing he could
have done.  Now the world knows how Netscape approaches a potential
crisis.  They did not panic although they may have come close to it.  I've
seen that much lost in a cloak room with a pot not near as big as Christian
sought. Anyway you look at it it's just a roll of the dice.Bill GL Stafford
springco@arn.net
 Wired Magazine on web
An Email Trail from Bug Spotter to
           Netscape
           6:01pm  13.Jun.97.PDT The following is a copy of the
           email exchange between Netscape officials and
           Christian Orellana, the Danish consultant who
           found the Netscape Navigator bug. A copy of the
           text was provided to Wired News by Netscape and
           appears unedited. Wired News has chosen not to
           publish Orellana's email address.
           Subject: Major security bug in Netscape
           Navigator 3 and 4
           Date: Mon, 9 Jun 1997 19:19:13 +0200
           From: Christian Orellana
           To: stracy@netscape.com
           Hello!
           We have discovered a major security bug in
           Netscape Navigator 3.0, which remains uncorrected
           in the new Communicator release. The bug affects
           Navigator running on all platforms in the standard
           configuration.
           The bug allows access to any file on the clients file
           system, and does not affect Microsoft Internet
           Explorer.
           This bug is potentially very interesting to Netscape
           considering that the new release of Navigator is due
           in just three days.
           The bug has not previously been reported, and
           remains unknown to anyone but us (to the best of our
           knowledge). Please get back to us a.s.a.p. (before
           Netscape DevCon) if this knowledge is of any interest
           to you. You can reach me at the phone number
           below.
           I have tried to reach Netscape for a while now, and if
           Netscape remains uninterested in the issue I may
           contact some other interested parties.
           Yours sincerely,
           Christian Orellans [sic]
           ---
           Subject: Please confirm
           Date: Mon, 9 Jun 1997 20:14:08 +0200
           From: Christian Orellana
           To: stracy@netscape.com
           Hello!
           Could you please confirm that you have received my
           previous letter.
           Also I would like to restate my claim that this is of the
           utmost importance for the upcoming launch of
           Communicator. The bug allows complete read access
           to the clients hard disk.
           Christian Orellana.
           ---
           Subject: Re: [Fwd: Major security bug in
           Netscape Navigator 3 and 4]
           Date: Mon, 09 Jun 1997 11:51:04 -0700
           From: edithg@netscape.com (Edith Gong)
           Organization: Netscape Communications
           To: Shannon Tracy , lalam@netscape.com
           References:
           <339C3C32.FE3F5683@netscape.com>
           Shannon,
           I don't know what else to do. Can someone in DSE
           contact this person to get the details by phone. We
           can't investigate until we understand what the issue is.
           I'll see if someone in tech support can contact the
           customer
           Edith
           ---
           Subject: Re: Please confirm
           Date: Mon, 09 Jun 1997 12:00:03 -0700
           From: Shannon Tracy
           Organization: Netscape Communications
           To: Christian Orellana
           References:
           Dear Christian Orellana:
           Yes, I received your message. The project manager
           just responded that they are trying to find someone to
           contact you, however, we can't investigate until we
           understand what the issue is. Can you please furnish
           a few additional details so that we know who best
           might be able to handle this situation?
           Thanks,
           Shannon Tracy
           ---
           Subject: Re: Please confirm
           Date: Mon, 9 Jun 1997 21:11:44 +0200
           From: Christian Orellana
           To: stracy@netscape.com (Shannon Tracy)
           References:
           Dear Shannon.
           In short the first version of the bug I had up and
           running allowed me to get any file whose path I knew
           on the clients hard disk. I just got another version up
           and running, and considering that the location of
           quite a few files on a typical windows/mac/unix
           installation is pretty well known, it should be no
           surprise that this new version can actually scan the
           clients harddisk for specific files, and download them.
           I can not reveal much more detail, without giving
           away the bug, which I will not do, since I think this
           information is so valuable to Netscape that it should
           be worth a good deal of money. The information is
           certainly worth a bit on the free market, and I am
           currently awaiting responses from other parties.
           In other words I think the person most suited for
           handling this, is someone in charge of the company
           check book (-;
           Regards - Christian
           ---
           Subject: final note on Navigator bug
           Date: Mon, 9 Jun 1997 23:07:59 +0200
           From: Christian Orellana
           To: stracy@netscape.com (Shannon Tracy)
           Netscape:
           I think my approach to you on this subject has been
           fair and serious. I am offering you a piece of
           information that I consider of very high value. The
           implications of the bug mentioned in previous emails
           are immense.
           Considering the widespread use of home-banking
           software, not to mention the impact on multiuser
           systems in the government and corporate sector, like
           unix and NT environments, where access to the
           encrypted password-files would render the systems
           extremely vulnerable, I think all pre Communicator
           versions of Navigator (supposing you fix the bug in
           Communicator) would be pretty useless. I will leave it
           to you to estimate what impact that would have on
           Netscape stocks.
           I have to inform you that David Gross at CNN is on
           hold with the news, and is only waiting for me to give
           him the final demonstration, to verify the bug.
           I must also inform you that CNN is not the only
           interested party, and that I will consider my options
           once I get Netscape's standpoint on the matter.
           I would be more than happy to give a demonstration
           of the bug, under controlled circumstances, but we
           would have to sign some sort of agreement first.
           Regards, Christian Orellana.
           ---
           Subject: Re: [Fwd: Major security bug in
           Netscape Navigator 3 and 4]
           Date: Thu, 12 Jun 1997 16:40:33 -0700
           From:chrish@netscape.com (Chris Holten)
           Organization: Netscape Communications
           To:chrish@netscape.com
           References: 1
           Subject: Major security bug in Netscape
           Navigator 3 and 4
           Date: Mon, 9 Jun 1997 19:19:13 +0200
           From: Christian Orellana
           To: stracy@netscape.com
           Hello!
           We have discovered a major security bug in
           Netscape Navigator 3.0, which remains uncorrected
           in the new Communicator release. The bug affects
           Navigator running on all platforms in the standard
           configuration. The bug allows access to any file on
           the clients file system, and does not affect Microsoft
           Internet Explorer.
           This bug is potentially very interesting to Netscape
           considering that the new release of Navigator is due
           in just three days.
           The bug has not previously been reported, and
           remains unknown to anyone but us (to the best of our
           knowledge).
           Please get back to us a.s.a.p. (before Netscape
           DevCon) if this knowledge is of any interest to you.
           You can reach me at the phone number below.
           I have tried to reach Netscape for a while now, and if
           Netscape remains uninterested in the issue I may
           contact some other interested parties.
           Yours sincerely,
           Christian Orellans
           ---
           Subject: Please confirm
           Date: Mon, 9 Jun 1997 20:14:08 +0200
           From: Christian Orellana
           To: stracy@netscape.com
           Hello!
           Could you please confirm that you have received my
           previous letter.
           Also I would like to restate my claim that this is of the
           utmost importance for the upcoming launch of
           Communicator. The bug allows complete read access
           to the clients hard disk.
           Christian Orellana.
  For help on using this list (especially unsubscribing), send a message to
"dcsb-request@ai.mit.edu" with one line of text: "help".

--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/







Thread