| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Sep 2005 01:27:09 +0300 (EEST) From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi> To: bugtraq@...urityfocus.com Subject: FF IDN buffer overflow workaround works in Netscape too Summary about Firefox IDN buffer overflow vulnerability workarounds in Netscape Browser [a new, more informative title used] Instructions and methods described at Mozilla Foundation Security Advisory "What Firefox and Mozilla users should know about the IDN buffer overflow security issue" https://addons.mozilla.org/messages/307259.html (yes, it was http://www.mozilla.org/security/idn.html earlier) can be used in Netscape too. This advisory has been included to security company advisories handling this security issue and mentioned in the news widely. Disabling IDN (Internationalized Domain Names) support via about:config Location Bar feature or prefs.js configuration file is possible in Netscape Browser 8 too. Additionally, .xpi file for Firefox and Mozilla Suite works in Netscape 8.0.3.3 too. Test in Windows environment was successful and even UA was changed to include '....Gecko/20050729 <<(No IDN)>> Netscape/8.0.3.3' string. However, the manual method is recommended. Vendor developer team was contacted, no reply yet. Like US-CERT says in Firefox VU#573857: "While implementing this workaround does not correct the buffer overflow error, it prevents the vulnerable portion of code from being exploited." When an updated version of Netscape Browser 8 is available the download link is http://browser.netscape.com/ns8/download/default.jsp Regards, Juha-Matti Laurio Security researcher Finland
Powered by blists - more mailing lists