Netscape Upgrade May Not Fix Critical Flaw

America Online recommends that users upgrade to the Netscape 8 beta, which is based on Firefox code; however, the beta release has not yet imported recent Firefox security fixes.

AOL on Wednesday urged users of its Netscape Web browser to upgrade immediately to the latest beta version to protect against a potentially dangerous security vulnerability.

The flaw, which carries a "highly critical" rating from Secunia, has been confirmed in Netscape versions 6.x through 7.x.

Secunia did not release details on the vulnerability, but it appears to be the same GIF processing error that affected the Mozilla Foundations Firefox browser.

According to a previously released Mozilla advisory, the flaw exists in the way the obsolete Netscape Extension 2 parses GIF images, and can lead to an exploitable heap overrun.

In extreme cases, an attacker can use a specially crafted GIF image to exploit the bug and run arbitrary code on the victims machine.

/zimages/3/28571.gifRead more here about the GIF processing error that previously affected Mozillas Firefox browser.

Firefox has already corrected the flaw in version 1.0.2, but that fix has not yet been imported into Netscape 8.0, America Online Inc.s most recent beta, which uses the Firefox 1.0 code base.

AOL spokesman Andrew Weinstein recommended that users upgrade to Netscape 8.0, which he claimed was not vulnerable to the flaw flagged by Secunia. However, according to the Netscape 8.0 beta release notes, none of the security fixes since Firefox 1.0 have been folded into Netscape.

/zimages/3/28571.gifClick here to read more about the Netscape 8.0 beta release.

"The deficiencies noted in Firefox 1.0 are inherited in Netscape 8 BETA in most cases. Patches to the Firefox code base will be imported into Netscape 8 BETA as they become available and are tested for compatibility. The recently released 1.0.1 patch has not been imported into Netscape 8 BETA," the documentation said.

Weinstein told Ziff Davis Internet News that the plan is to import all the Firefox security patches—up to Firefox 1.0.3—into the gold version of Netscape 8, which is expected to ship "over the next few weeks."

America Online is currently testing a stand-alone browser based on Microsoft Corp.s Internet Explorer and not on the Netscape engine.

According to Secunia statistics, about 50 percent of all reported vulnerabilities in Netscape 7.x remain unpatched. The statistics are based on 19 advisories between 2003 and 2005, and the ratings range in severity from "moderately critical" to "highly critical."

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.