SecurityTracker Alert ID: 1014349|
SecurityTracker URL: http://securitytracker.com/id/1014349
(Links to External Site)
Updated: Jul 6 2008|
Original Entry Date: Jul 1 2005
Denial of service via network|
Exploit Included: Yes |
Juha-Matti Laurio reported a vulnerability in the Netscape browser. A remote user can cause the browser to crash.|
A demonstration exploit is available at:
The vendor was notified on June 30, 2005.
This type of vulnerability was originally discovered by Paul Kurczaba, reported as affecting Mozilla products.
A remote user can cause the target user's browser to crash.|
No solution was available at the time of this entry.|
Vendor URL: browser.netscape.com/ns8/product/default.jsp (Links to External Site)
Exception handling error|
|Underlying OS: Windows (Any)|
Source Message Contents
The newest Netscape Browser version 8.0.2 is confirmed as affected to
(Proof of Concept) test pages located at
http://www.kurczaba.com/html/security/0506241.htm (Manual and Automatic).
This can be possibly exploited by constructing a malicious Web page. If
an attacker has ways to persuade user to visit this Web site, this can
be used to crash user's browser. After a crash effect browser will
Some user interaction is needed to vulnerability take affect when
discussing PoC issue#1.
Issue #1: http://www.kurczaba.com/html/security/0506241_poc.htm
Button "Go" was clicked.
Browser crashed without any visual effect and/or warning.
Issue #2: http://www.kurczaba.com/html/security/0506241_poc2.htm
Browser crashed with the following information-like dialog box:
netscape.exe has encountered a problem and needs to close. We are sorry
for the inconvenience. For more information about this error, [click
Only 'Close' button was available. After clicking 'Close' button,
Netscape Browser was quitted.
- Technical details:
Menu setting Tools / Options... / Site Controls / Web Features:
Naturally, Rendering Engine 'Firefox' was used when tested.
pages mentioned earlier.
>From the vendor:
"The All New Netscape Browser 8.0 - Speed, Flexibility and More Security
Choices Than Any Other Browser. Netscape began by trying to make an
Internet that users found easy to use."
- Solution status:
No solution was available at the time of reporting.
Netscape Browser 8.x
(free for downloading)
- Affected versions:
The vulnerability has been reported in version 8.0.2. Other versions may
also be affected as well. The user agent string used was Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.7.5) ecko/20050603
Netscape Communications Corp.
Vendor Home Page:
Product Home Page:
OS: Microsoft Windows
CVE reference: N/A
Disable selection from Tools / Options... / Site Controls / Web
Rendering Engine used: Firefox
Related menu section: Tools / Options... / Site Controls / Web Features:
Add untrusted sites to I Don't Trust This Site list and check that
If this is not possible:
Do not browse untrusted web sites or click untrusted links in e-mail messages.
Vendor was contacted on 30th June, 2005.
This vulnerablity was earlier researched in the following Mozilla
products; (Mozilla) Firefox, Mozilla (Suite) and Camino by Paul
Kurczaba Associates Security Advisories > Mozilla Multiple Product
>From the advisory:
crash the above named browsers. The script can be executed both with and
without user intervention."
28-06-2005 - Vulnerability researched and confirmed
30-06-2005 - Vendor contacted
01-07-2005 - Security companies and several CERT units contacted
Juha-Matti Laurio, Networksecurity.fi