Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Critical Netscape Flaw Found

  1. #1

    Critical Netscape Flaw Found

    Security company Internet Security Systems is warning its customers about a critical security hole in a commonly used technology from the Mozilla Foundation called the Netscape Network Security Services (NSS) library that could make Web servers vulnerable to remote attack

    http://story.news.yahoo.com/news?tmp...pcworld/117543
    O.G at A.O

  2. #2
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Maybe someone with more experience with bugtrack can explain this, because I am confused.

    The article, referenced from PCWORLD references an advisory from ISS which proclaims they have a protection against a flaw in an NSS Library -... but they do not say what versions of NSS Library they are speaking.

    They reference a link to version 3.9.2 as a fix, which is the latest stable ( as far as I can tell ) but that has been available since 7/3/04.

    Again, they don’t say what versions of NSS are affected, and exactly what version the problem was fixed in. I searched bugtrack but could not tell.

    Is this a marketing ploy or is there something I am missing?

    And why the negative responses to the post?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  3. #3
    IKnowNot, I have no idea why he was negged. I mean, it isn't like he is the only person on AO to just copy and paste news stories and then expect AP because they keep us "informed". -glares at various AO members-

    I'm also in the same boat as you here. There just isn't enough information to further explain the why's about this. And the information that given doesn't seem to fully add up in the article. Clues anyone?

  4. #4
    er0k
    Guest
    i believe he was negged, because he is memory :P

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I think the reason it's a big deal is the number of products that the exploited software ships with.

    Secunia has two good Advisories that they emailed out earlier today.

    The first one NSS Library SSLv2 Connection Negotiation Buffer Overflow Vulnerability is specific to the NSS 3.x Library Buffer Overflow. The new version is the fix and has been out for a while, however the reason this advisory is popular is because of the software (as I mentioned above) that it ships with. Netscape Multiple Products NSS Library Vulnerability has the software that is affected:

    The following products reportedly include the affected library:
    * Netscape Enterprise Server
    * Netscape Personalization Engine
    * Netscape Directory Server
    * Netscape Certificate Management System
    The number of admins running this server that have probably never updated it is quite high... A lot of people just install and leave it until they know there's a problem. They have the mentality of why use a newer version if this one isn't broken... This advisory is more to let them know that that version is broken and if they're running the original library that came with the software they are in trouble....

    I think that's why it's more of a big deal than other problems released right now... It's more high-end and could stand to affect more people.

    Peace,
    HT

  6. #6
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    Originally posted here by IKnowNot
    And why the negative responses to the post?

    Uhhhh....could it be the fact that at the moment he accounts for about 60% (as in 6 of them are his recent IDs) of the "recently banned members" list?


    BTW ©opy®ight....you'll note that my name DOES NOT appear in your AP center....it's up to you to keep it that way cause you've had your last break from me. I still suggest that you take a LOOOONG break from posting like the mods advised you to.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  7. #7
    er0k
    Guest
    how hard is it to get a new account with no one knowing who you are? i mean seriously, its like you want us to find out dude. personally i like you, minus the whole not cool stuff you did here.. o well. back to fahrenheit 451

  8. #8
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I think the reason it's a big deal is the number of products that the exploited software ships with.
    Yes, but that doesn’t explain my confusion. These products ARE in wide use, and I agree
    The number of admins running this server that have probably never updated it is quite high...
    but every article and advisory relates back to the original ISS advisory which is sketchy in detail but proclaims they have "... provided preemptive protection for these vulnerabilities".

    From what I can tell some of the products, even with all service packs installed, still use NSS 3.7.something.

    So in which version was it fixed ? And which are affected? Has anyone seen an announcement from Mozilla or Netscape or Sun on this issue?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    What is not at all clear, is whether this vulnerability affects Mozilla client installations.

    I assume that Mozilla uses a similar library to the Netscape server products (aka iPlanet from Sun now) - therefore the bug could exist in Mozilla's libraries as well.

    I think it's fairly safe to assume that the installed base of Mozilla users (particularly with the apparent media focus on Firefox as an IE replacement for Windows users) is much higher than Netscape-based web servers.

    Slarty

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted here by slarty
    What is not at all clear, is whether this vulnerability affects Mozilla client installations.
    Yes, it is rather clear, it does not. If it had come up during testing, it would have been mentioned in the advisory, and likely the primary focus.

    I assume that Mozilla uses a similar library to the Netscape server products (aka iPlanet from Sun now) - therefore the bug could exist in Mozilla's libraries as well.
    Even if the libraries were identical it doesn't necessarily mean it could be exploited on the client side. Even setting aside the number of mitigating factors in somehow getting a Mozilla browser to connect to a malicious server serving out malicious SSLv2 certificates (which in and of itself would probably extremely limit the scope of the vulnerability), there is likely different calls for servers handling the certificates and the client receiving them.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •