Enterprise Software

XMLHTTP flaw shows up in Netscape and Mozilla

We recently reported a critical flaw in IE that needed to be patched immediately. Now it turns out that Netscape and its cousin Mozilla are plagued with the same flaw. Unfortunately, no patch exists for them.


After finding a number of vulnerabilities in Microsoft products, Israeli security experts at GreyMagic Security have turned their attention to another software giant, AOL Time Warner. They've discovered flaws in Netscape Navigator that mirror some Internet Explorer vulnerabilities that were recently patched by Microsoft. But Netscape's flaws have yet to be addressed.

This particular threat is closely related to the “XMLHTTP Control Can Allow Access to Local Files” vulnerability in IE, patched in MS02-008. I discussed the problem in my March 11, 2002, column.

On March 30, 2002, GreyMagic Security researchers discovered that this flaw also affects Netscape Navigator and Mozilla (the open source offshoot of Netscape's Web browser). According to GreyMagic's advisory, the company notified Netscape of its research on April 24, 2002, with the warning that it would wait five days for the company to acknowledge receipt of the report before going public.

When GreyMagic didn’t get a reply by deadline, it posted an advisory, and a few hours later, someone else posted a link to an advisory on Bugzilla. GreyMagic told me that it first heard from a Netscape engineer two hours after that Bugzilla posting.

As a GreyMagic spokesperson confirmed to TechRepublic, “Netscape is now trying to bend the term 'day' and claim that it interpreted our post as 'business day.' This attempt is futile, since all in all we waited six days, which are five business days in Israel. (Sunday is a business day.)”

The spokesperson added, “It took a post to a public system in order to get Netscape going.”

The company has not been encouraged by Netscape's response.

“[GreyMagic] sincerely hopes Netscape has learned from this incident, but until today [Thursday, May 2, 2002], there were no signs of it. We have not seen Netscape admit to its error; we have not seen Netscape tell researchers that they will take security more seriously from now on. All we've seen are attempts to avoid responsibility.”

A quick check of Netscape’s Web site and press releases shows no mention of this vulnerability, but the company’s director of communications e-mailed me and said, "[We've] identified the issue and developed a fix, which we intend to deploy in the near future.”

As for whether GreyMagic will be able to collect Netscape’s $1,000 Bug Bounty, the director said, “We don't discuss the details of individual cases.”

Threat level—critical
Microsoft described a similar vulnerability in IE as "critical," and I can’t see any reason why the problem would be any less dangerous in Navigator, except that Navigator has far fewer users.

The threat is a flaw in the XMLHTTP Request ActiveX component that allows an attacker to bypass security zone settings and access files on the hard drive. This vulnerability lets malicious Web sites penetrate systems through the browser and extract files from the user’s hard drive. According to a May 1, 2002, update by GreyMagic, there have been reports that the full content of folders can be accessed using this vulnerability. Threats just don’t get much more critical than that.

Still, one mitigating factor is that users would have to visit a malicious Web site to be vulnerable to an attack.

Applicability
This vulnerability generally affects these browsers:
  • Mozilla 0.9.7+ (but probably not Mozilla 1.0)
  • Netscape Navigator 6.1+

GreyMagic also specifically reports having tested and found this vulnerability on:
  • Mozilla 0.9.6, Linux (Debian)
  • Mozilla 0.9.7, Windows NT 4.0
  • Mozilla 0.9.8, Linux (Red Hat 7.1)
  • Mozilla 0.9.9, Windows 2000
  • Mozilla 0.9.9, Windows NT 4.0
  • Mozilla 0.9.9, Linux (Red Hat 7.2)
  • Mozilla 1.0 RC1, FreeBSD
  • Netscape 6.1, NT4
  • Netscape 6.2.1, Windows 2000
  • Netscape 6.2.2, Windows 2000
  • Netscape 6.2.2, NT4
  • Netscape 6.2.2, Linux (Debian)

Fix—None for Navigator
Unfortunately, no patch is available yet for this problem, and obviously, the Microsoft patch will work just with IE products. Until the promised patch is posted, the only solution is for Netscape and Mozilla users to utilize a different browser.

Final comments
The irony here is compelling. First, for many years, commercial software makers have touted their products as superior to open source products because they have the money to provide superior development, research, debugging, and support. Yet a giant like AOL Time Warner has been either unwilling or unable to address this critical flaw in a timely manner.

Conversely, large numbers of open source users have complained loudly about Microsoft vulnerabilities and the time it takes Microsoft to patch them, but a number of serious flaws have recently turned up in open source products (such as Mozilla) as well and have remained unpatched for an unacceptable amount of time.

The moral of the story is that both commercial and open source products have security problems and that businesses should not automatically feel safer by relying on one or the other for their network infrastructure.

Editor's Picks

Free Newsletters, In your Inbox