AOL Ships Netscape Security Patch

America Online Inc. late Wednesday shipped a new version of its Netscape browser to correct multiple critical code execution vulnerabilities inherited from the Firefox code base.

In a brief advisory, AOL said the Netscape v8.0.4 upgrade includes all Firefox security patches through 1.0.7.

In all, nine vulnerabilities are patched, including a critical heap overrun in XBM (X Bitmaps) image processing and a crash on “zero-width non-joiner” sequence caused by a stack corruption that may be exploitable.

The update also addresses a header spoofing flaw in XMLHttpRequest, a JavaScript integer overflow and several regression fixes.

A separate IDN (Internationalized Domain Name) heap overrun flaw inherited from Firefox is also included in the Netscape v8.0.4 patch.

Netscape 8 is based on the Mozilla Foundations Firefox code base, which means that security bugs in Firefox are likely to affect Netscape users. The vulnerabilities patched in v8.0.4 were all patched in Firefox since the middle of September but, because of quality assurance testing, the Netscape upgrade was delayed.

/zimages/3/28571.gifClick here to read about Mozillas Firefox security makeover.

The belated fix comes on the heels of a series of Netscape security hiccups. Earlier this year, the company shipped the final version of Netscape 8 without patches for several publicly known security flaws.

AOL blamed that blunder on an unnamed third-party security vendor.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.