Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Critical PNG Flaw Haunts Netscape



 By: Ryan Naraine
2004-12-01
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A previously reported image handling vulnerability is discovered in new versions of AOL's Netscape browser.

America Online Inc.s efforts to kick-start renewed interest in its Netscape browser got off to a rocky start with researchers warning of a "highly critical" flaw that could lead to remote code execution.

Just 24 hours after AOL unveiled a new Netscape prototype, Sun Microsystems Inc. issued an advisory for multiple vulnerabilities in the way the browser handles PNG (portable network graphic) images.

The bug, which affects Netscape 7.x, is directly related to the previously reported buffer overflows in the PNG Library (libpng) that is used to manipulate PNG files.

Resource Library:

Click here to read more about the flaws in the PNG library.

Sun said the flaw puts Netscape users at risk of remote code execution attacks.

"This condition can be exploited when the local user has loaded a Portable Network Graphics (PNG) format image file supplied by an untrusted user and views a malicious web site or views an e-mail message containing a malformed PNG image with that application," according to the Sun advisory.

The affected Netscape 7 is shipped in Suns Solaris 9. It was also available for Solaris 7, 8 and 9 as part of the SUNWnsb package, Sun said.

Independent research firm Secunia rates the issue as "highly critical" and recommends users use another browser until a patch is made available.

AOL spokesman Andrew Weinstein declined to comment until the company has time to investigate the Sun advisory.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Critical PNG Flaw Haunts Netscape
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}ks8q8c=mG-9֎my-%L*EB%)ۚ'ΗSOx-N&sN-`n4w~ IM˙Kל۔\sPç}$5]2i*_ d&@ jہ)}mk4 uB;=>;|9|AL=TadJ4lhwlBhL@Fܨ_X&``1Zt|Rl #: rWӺ'Ai @I>R(h] ]( ѼGeMQR`N Cw&tb9 Q#RV2/FXDP~DMc?9;~'CϚr_CGaiZg#2]hj:TE$*cO^3jb䅰Q(0F.Č/uI%۝߼IԈIdZ"[;dTZ #63!1kT%R>l@G-> H1PN$}+AaSGiH'|6XpiGJ =~b[4…H8CEn]!ؾtwyDf*Z2'l"Rۆ@ظz00!} %D"SHuhs 2 eþ;JP+qV*cgCrL!-ghTzEÝ|g4:ڿP)e{~] !􏂺lݹڎ6жk%{zsqN5o9 ]:NַRߘ 0QR&jtߘekfy 3?TrJw3F~ WgۗkUw'g|v ܹOlDM Wh6w0N/=?_CǙMXCEC0ʡ~Ff;|io]8螒$˷SYn `םBm۲ܹ*BZKEןȃa(7fhX@?$eR2Z-8Zut( kPy۬)MZ!rƒ uKsQ8nZK0[RFp\ ДQ#\ذ 1"%̟hJ@Ջ"}Et"Aͩ4 (J!b^3tɋ BD4?CC7=aB+Y,h.2W-}zY[5'jtamE՘is_eޡ:Y5piuO~S35ލhX.B2i%!8W5MGV=LL'_@r /*r[h S2ud8԰1nұ>âx?0 t3ϼc|>55F㤞F!|Бd6mb8-" ,70}Hw@z1¤p;pw>>-Fv1s{Q {>0iCkFQD4h-D&q@ 9q HhS0|w0[[30(Ac` VGPAX]7$>(Gk6G~[>l0sQ|'sZ( 7^b@}JIIL}ABt"AђF )4 g X"K"'' `[X;.V+\y"*m':.܉;T+Jd&3,BV-KїPf%i2khƺń(VFN1|(0Vf)RبQm7eXutLބxl,aCtH{2l` [NH:4$a.*d٦39`'<&4ğ;nX$}׾dχ +L+f9N)A\_XHaA=4m)9X0N-cJb+H5LôLhD,io>` yE"yTXw%3Ͱ&q8G+oozfr=*FSMzB9)wdmr)R۪vs9n$!+xWY 2gdRUyqtʝ+PX[3n2>Mj=&"ǰP7Zp(^HISНj!D9zէl)>s-%֊eORu#z_No6ʁveXZ @UYlc70Ԣ騬P|M$"!lùfXdžJ>]!1Ada:(u!{jaaC+%UVLG,mk9^a5sV@6@@7hM TlVCax=ZAwm=_T\v /*||2ː 7um CO5,v&ff:X[' +ȁUzqڋgpp0uVׅ=% ._8g7i+B ۣӜh2F ñeH׽iAʫu&-KjE)jBEl ԑq,YX6Tصm!0}ugAPOKK˙@'@&"Y#gѠVĒ8vYPzP* WG˿\fcp'zpgI 7Ѿ'hʰeYh`Zu'6$kD(OnssQ*J7+ )R;z^*k 5UUR;.Z 7;z&9̓c q'|}1Moř1FtI9[J?C0t.rɵ`s||ujN8elCc>eLFrlx\a+`v*7w/6Jh)6YS!RW dĞee[etkC鋨<3p{2s񖯧ޖOmwn;hi-uQjy)Am /5r/6ߦI39旉^_잫VI% d,fqN0cp&vN{56us0X3f~V`pl1\GA>э'a*r1#_J} [Lߴ@V1m0=̞̝A-mۨX9)6ugc5NZ:<*C)/TʜYe/(QUmq'F.,%e.N1)Q,&v}j;_&I|SeUȓV)kY+T\U񋰷8C+`-XRj#L*"o&ŏ[o(urmN3HG~T>WʠO}b*kZQR޾*rk4rO,ش,>6W"h -z; ezzX-,sK"hJgԋ_q[rn)ty4ņ5ѣ(4CFup0 O+os{KIl/kK{@utS6dUuZ]J_D'sL؞EA({OBWuṚo{{C4÷,L)~39Ȕ)xT-kZb[Ԫc"iBqC` IZT+) ,%~W9@` |ZUjrF22@BZA$d1~&~f?Н :waa=&A`Wǽ4._U#R9&jMU[^wh-6:%5>6 `i4~{L]LpǴƽynݫ 6zv9D2DHw4z7.wѻGE#N zs=A DH#䄬W!yN/:FStk;d4)(g~H6}i:Z(XKݹ̂KӜ4"^k=SfaoFhv19ºUXȬe`&|PH:>X1aX@ $X)XCu:__>G:KE5P ` bT10_RFMQ6=#ijvwLg"'(?+9Q_;Qo9Kj}K_cOͲh<& ]l{pXXJqv#]c~:)}CON9˝~Lu(Í7F jE pZIS"9oթ-4iKly0;ƶpa!d)bz&$0m1결uC%<1ON)gtJē˓!=)jچIմg28I5F4A2 uID? Mt4DPWl Pق[W5=ܻ8^]ҽ|syt4*kEe85(AuMH>١'-&'XuT䵴f[UHO~DC.6OY-`(9/rq]ȩzxXuoXܧE~"rntL7ýԎ+^@(NEVu2k7x/[_YN.t0o !_GoYM21/ȄKԍ)A/x9GQ r0xf&4NlEWy/("+xQESrk]O}0]vY A ̯> H-н>y{lo&|)s'AޚuhaJofm6eL07)۽,v7*ApKG<-L?Gfc:M"IQU֫UdU)IW}Y)GG8LztHt.lF觵4 Z2fP:;G׍;qGecF0XoWE+R!ekEwWSU+KT7ڲ&E%mKh#i>R{k!bi<O[eỡܭ)‹W$`DI@RigA j(lWwpmU0p>7OI$|+؊wO_o+NO֊ v™+[ g5;VS M[k/!1 %]%h3[Q@)w#_ƥG/>qh'pjox?F's䇷fd2ĕ֕O,0eȾӝ@Xbi\Ҷ&,Q,W'21')Y*;KK;~/F9E*/ +_F!;Q};u}3S!mj}龗ˊ򲾷E&96Lҩo")^7_ΫЏtf9='!%;&)FvO-PJ ;1I$@o[q!7t"#~ 1 {yoY{YT09%&nlq7R UXc2W౱r?L@dI\5Gd(΁,3FzXn`Y:Qmr'5ec:;" tI ]m51т T-$F^M\b]*iO3ފ4kgٌHXvGl+N(NL;]ɒ9 󇕒ťv-˵d;\CS%WCޮ8WCy#V*,iԱL C[kÚZ9L)oWݮ"mz9?|` ^ x9!u;ҙ1"ؠaF" a#}y}^1muwbT%->%Zx 7skrQ@#܎c@#NGurXssڻ&)m٩Z3:'McssRۃޕxvy(nх&EuƮtT9tR7`V:T+y7~'wEr7OyUL#:Q q'a9)\l+,W7\~*-+ݶxr ^AaHkv{ܾVJ,S}u/f: eH0( Bҡk3iּh/MQGbT+WJ%"@0'!@$ @ G{zQ{=6RǙঅ|:],R"0".(%Er! H@{vs6# c,ǒVvͼ,MtB-:a`+/w'݁t >>1]'rJqEay %^lH9M վ5[WS]3|^k8?fˉ:!RbdbC%!Ѻ-2='Y4Œp,K>8|5P[i[}]]L@)]XbG&|F':a>z$X-zܺꖜjnNl1A;"G >c {9<UdvG0,;>p!"A$ D-9Կ( oٶ5H]K;lAlx)BatIz}TSwnlCW7$.< PB!0(D@#.oRK{JW).]g7l$a J6xt*$ ѫ_1#lOwd.(wRi"/DBso =Ҟ[a7'prH-޳{ `j_g>}O\Зs VX\5p_B/F+ŷf wDc)ͷ*I-찆߼f{CSYmcl(M#ۀږձևxQF^E6ә{OWG+eYY -}-wR'Ͱ`6ꇠd+l$5̐ؐG0j%M"q0MsI2⌉famy%seJ5p79D2DVSt:z`]gNI;޵7 5a0 kW^/m+xՉO%Wȼ -.S '鋳CtW@c1Y}Gj w.P5F)>40Lb/̈Ȟ)tk̷(#cٸ{l`>18~w4~X67ݿ ~VxrlͪvCbg'񕅤= ֱwҘX?_kf?qE?~TO`u.sͦ 0a6 :u&}3\yyk1u;Ga)_7ZEw^e¤ZYt'O|odQEx8n Kg1;=~IneN'<]S1ʇUňе⟎ 񊵚ZG+NB/XgWx$e _Mu,aDVȰ^ я TmS_:C7Տ5NsK(aV—ScWF%3z J 0;CX^q]>0&I⦎~4Gcu\_SS[WXZoA[#rd! `,%o,"%xa /quQ%. /)/+iyp0^zq6jsϙTh,ZNtEaĥpL1h%RZ YE]ɖ1x}[/>Lz'5aL=P;IU6'a|Q+A*VH5ism/ksM>ٜ>7-eM13ɆX50yfB׵'a^vD76f|W@O[fkhP♛UD֝u~؇RcS-*);,ՐB%^v9]7pOdhMeaZi/ ~ SDc>2SU"cm#Z~RQ,d仼WVRer@Y7EnI:&|z`RBK.ڳ{z^Nz kH{wi ~JkK`6;QiәF;1v뮒tڦJ7s>_dS'B[$K^ur}{ι0sS %gevC->`3+nVTm}qV]%F-Rt 3]sK?S@$}/Hk4hDΡgäg=0FOU TbxdO_ňVSR>fDk9mǖA&_cByĨ @>ggnyVmIz.kx>atR>jueqj+Y kj]>ҡ+qܑ.ufY1m,XtB'`2oB`(xMI9T~%N/|T0/b#-񸔦#C /Vb|$z34mGm׀gUV""ab+pD['ٍI 取0Uc `xU$!fս WEg0*ϼ0]'Ln 1EYG7`C[5E9Y|obL<`A~Bj @̐0(OIJ uXZFB(s 6&HGolu7@F`p3W VjMDO"ӡRs])ÚP4POuyhV?Dk0M镬B*%^Șq~/o: &a@}lFL r,4[YMCN7AwEN:[49ۼ6/*(H].;NSʙhSgµ,%E:wFU 3@cqy^ ?;gQ~\31sjo:O֖C|zg'>;yIS:jS#ZuRBjs'$ )ns9UЌLjV}QuxS S+S~7O[rʑ@v'O7}rPasy9]99y yß(W9sϡţu>Tk6WY2-KaaP$_|rx#9,kOg >wN?toҹj] [;35J쓭/†>ga#f^*B8D#w_a1zI=0"wCmz$_ M+ 7\zɜ؉&n A |$U˚VVk[*j=vbUUEVrp` VU+D`I9#Tx|Demګ.91C=bh8[閾Pp EЧ oJw̆گ˘͛YʌMMu?/ጽIۯDʑ $` pLR Psoy =s] XIr 9]|LAÆ^Vٍv"n<2Nw!z6fP4ǝa&rV2AA?vXh =xqn9SYF L\^:&23M{6(\x| "e*sCj!f[Nؒ1fQSRۨWE)h HN,{o#+fUh((8[]^L̇A:1gM&EV; 0i:*z D5`=ݤ1FVܹŒk"c.01XxX|sLi @m :o=1M55~ɉ ( kEF(l#by2&6Fr7SO_d Qߖ? ugk6r-qg7)œj@@zvok[1Lms%$2^~1+#Ҵ).,L|C2?u60H-x _X;}v`礿Lx %YÄEZg%^#%&a"c'x M?Xw`W#׽C<94Ǟ#(ـħ%IAa:2Ş_ =5g^Rs Dщ8pRFK_q9 bsފjd!vzk2jSo:h}t(;4Ã_|k[%,;y>AՋpOaHzzh{Ѡt^wkdU9Hz&zu x$^6=k"1DwΖb'OMzcw[/EI)H[QʹT.v }c*u b9?v"ㅰx/!ZQycl#,_ |t,Gwfgs% #]^Π&bO_wsԷeQ&PL®c)Jqk;}GRݤ_*9"% oPm<% *`>=.X&";>6L`>NSc? `nwf9fp'#r9cbV)qdGfӧ[7-["@ e`1v`eD <ձ]w `7G}L޴_%:Ɛ=ۭS)0^p,\f@Gṕ!Xs#Q%ɷ` |_eJÿˍtf_f%\#d<lܷ @WD0;"YcKE&(Xp\gA6ΙYmw9;>Ba2\Dxkyf%3WZP/jdV@8̛l+~e>vį-'yvJ~S O3й?-R/?nK73T|W `GYu`ZkrO8ǩk[mxtz }uke!)1:7f˟]챾WIٮ7G,cӰKQaW:6 6n Myww&7{.**kW46* <򧤝9mo@>1[?܋ϑ{ʾ16^f+9uul g)d̅2 !ɴ^xyu~ҕ^)If`cQd+$*)ؐW m50X1+ (NR(tg0 'Ɣ ϰ" sk׶),S[U .^sƠ`{e75SF =L哳"ECs3ޙ\M萇kÐpaif_/Rc9af[W`0ڌkASkLeU|t#GYEL`&;]+ N*t&ж?8acL 1L\,R.7Wv!Zy΋|_E>ODNű<<Sf}')VSL_X1_,P>I&g\@ʢRv<:~vډ.3Jbq')tߟ.z7 XٺqKOZ}jKQEeiAђuz7NJ]tEg0 .A|>ǐy6#xL vϖg UjT;IxdMn+)FҢpL\2Lrե{7 D^4–mJHU&s)cKM\bZ)MC39U2k k&|YdLp -ϱeRZ`l/Z6?9/