[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Netscape 4 Java buffer overflow
From:       Jouko Pynnonen <jouko () solutions ! fi>
Date:       2002-11-26 18:12:56
[Download RAW message or body]



The Java implementation of Netscape 4 contains a buffer overflow 
vulnerability. Arbitrary code may be run on a Netscape user's system 
when a web page containing a malicious applet is viewed.

The buffer overflow happens in the method canConvert() of the class 
sun.awt.windows.WDefaultFontCharset. An applet may trigger the overflow 
by passing a long string to the constructor of the class and invoking the 
method canConvert() on the created instance. In Java:

  new WDefaultFontCharset(long_string).canConvert('x');

The vulnerability is trivial case of buffer overflow. Its 
exploitability has been confirmed with an exploit which runs a program 
when a web page is viewed.

Netscape 4 has a very limited user base nowadays. Other Netscape 
versions use Sun Microsystem's Java Plug-in so they aren't vulnerable. 
This vulnerability only affects the Windows platform which limits the 
number of vulnerable systems further. The vulnerability doesn't appear 
exploitable on other browsers. Netscape and Sun Microsystems were 
informed about the problem in August 2002. Netscape 4 users can protect 
themselves from the flaw by disabling Java in Preferences.


  Jouko Pynnönen
  jouko@solutions.fi

[prev in list] [next in list] [prev in thread] [next in thread]