************************************************************************** Security Bulletin 9717 DISA Defense Communications System July 2, 1997 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -----BEGIN PGP SIGNED MESSAGE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ADVISORY: 97-09 Release date: 01 Jul 1997 DESCRIPTION: Netscape Navigator Security Vulnerability PLATFORM: All platforms running Netscape Navigator 2.0, 3.0, and Communicator 4.0. IMPACT: A hostile web server may retrieve known files from visiting systems, ie various configuration files, etc. SOLUTIONS: Apply the workaround or the appropriate patch provided below. [ Beginning of CIAC Bulletin ] Introduction ============ Recently, the Internet community was made aware of a bug in the Netscape Navigator. Netscape engineers were able to recreated the bug in Netscape Communicator and Navigator 2.0 and 3.0. Known as the privacy bug, it may allow a Web site operator to retrieve known files from the hard disks of visiting users by mimicking the submission of a form. Under ordinary circumstances, users browsing on known, trusted sites are not at risk. However, if a user visits an unknown, untrusted site, the operator of that site could potentially retrieve files from a user's hard disk through an obscure series of steps. To access a file on the hard drive the Web site operator would need to know the exact name and location of the file. Even though the bug has been highly publicized, this factor in itself limits the possibility of this vulnerability being exploited. Netscape released the following statement: "The execution of this attack requires specific knowledge of the user's machine to cause harm and so is unlikely to be reproduced. Because this specific bug has existed for more than a year and a half since Navigator 2.0 -- and Netscape has never had a report about this bug or any loss based on this bug -- we believe the risk to users from this bug is relatively low." CIAC recommends that you apply the workarounds or the appropriate patch provided below. Workarounds =========== To remove any risk of this bug, Navigator users should download the updated version of Communicator or Navigator, that includes the fix. In the interim, users of Navigator 3.0 and Communicator 4.0 can take the following steps to enable warning dialog boxes to detect and cancel form submissions: In Navigator 3.0: Go to the Options menu and select Security Preferences. Select the "Submitting a Form Insecurely" preference to enable that warning dialog box. In Navigator 4.0: Select the lock in the toolbar to open the Security Advisor. Select Navigator, then select the "Sending Unencrypted Information to a Site" preference to enable that warning dialog box. Patches or Upgrades =================== Communicator 4.01 for Windows (includes the fix for privacy bug) http://home.netscape.com/download/client_download.html?communicator4.01 Navigator 3.0 Fix pending per Netscape [ End of CIAC Bulletin ] ______________________________________________________________________________ The ASSIST staff would like to thank CIAC and Netscape for the information contained in this bulletin. ______________________________________________________________________________ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Global Operations and Security Center (GOSC), which provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ___________________________ ASSIST CONTACT INFORMATION: E-mail: assist@assist.mil Phone: (800)-357-4231 (DSN 327-4700) 24 hour hotline Fax: (703) 607-4735 (DSN 327-4735) Unclassified ASSIST Bulletins, tools and other security related information are available from: http://www.assist.mil/ ftp://ftp.assist.mil/ To be added to our mailing list for ASSIST bulletins, send your e-mail address to: assist-request@assist.mil In the subject line, type: SUBSCRIBE your-email-address ___________________________________ OTHER DOD CERT CONTACT INFORMATION: Air Force CERT Phone: (800) 854-0187 Air Force CERT Email: afcert@afcert.csap.af.mil Navy CIRT Phone: (800) 628-8893 Navy CIRT Email: navcirt@fiwc.navy.mil Army CERT Phone: (888) 203-6332 Army CERT Email: acert@vulcan.belvoir.army.mil _________________ ASSIST BULLETINS: Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous FTP from ftp.assist.mil (IP address 199.211.123.12). Note: ftp.assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your MILNET IP address to ASSIST before access can be provided. ASSIST uses Pretty Good Privacy (PGP) as the digital signature mechanism for bulletins. PGP incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt. In accordance with the terms of that license, PGP may be used for non-commercial purposes only. Instructions for downloading the PGP software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBM7l3BNH6sbnW3Io9AQHnAAP+MdVMl4n6nkuip1AKIcp/eM0mKw/fh6KN 5wHfXbQZTnnccoOXwnZuPVedxRcRCLXSQhoPh9yFvGbiMcBnwksMmBb/ZZIqIrYp 3O0q4k31aK7QM6U5cP5q0OtD2JtgjD3b52uJBl4xmeFNvpWh08gha+ixO7rHYN4K 4TXbrWQ+v6w= =BcAv -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.