Flaws in Netscape, Cisco and Sophos
In three separate instances, Netscape fixed flaws in its latest browser, a
researcher quit his job after he talked about security flaws in Cisco routers,
and Sophos fixed a flaw in the current version of its software.
Netscape released an updated version of its Netscape 8 browser to fix a pair
of critical security flaws. The new version Netscape 126.96.36.199 takes
care of two flaws that were previously disclosed and fixed in Firefox, the open-source
Web browser on which Netscape 8 is based.
The updated release fixes only the most serious flaws that were fixed in Firefox
1.0.5. Ten less-serious flaws will be dealt with in another update due in the
coming weeks. The flaw could be exploited remotely, and allowed an attacker
to hijack a victims PC.
The Netscape update also fixes two other bugs, including one that could cause
the browser to crash when downloading large images. Additionally, the update
deals with some performance issues.
This revamp is the third since Netscape 8 was launched in May. A day after launching
the Web browser and touting its security features, Netscape had to issue a new
version to fix several serious security flaws. Then last month Netscape released
an update to fix a bug that broke XML rendering in Microsofts Internet
Elsewhere, Michael Lynn, a research analyst at Internet Security Systems (ISS),
spoke at a Black Hat conference in the US about how unpatched Cisco routers
can be remotely compromised. His revelation ignited a spate of lawsuits against
Lynn and the conference.
Although Lynns planned technical talk and demo was abruptly cancelled,
the researcher went ahead with the talk anyway. Lynn, who originally uncovered
the problem, was asked to resign after his presentation, but said he felt compelled
to reveal the information in the interest of his country and the national infrastructure.
Lynn did not publicly offer the specific code to carry out the attack which
he said could be accomplished in several ways on unpatched Cisco routers, but
he provided evidence of how it could be done. Lynn said he got some of his insights
by reading information posted on Chinese hacker sites.
The Sophos flawa buffer overflow vulnerabilityhas been fixed in
some current versions of Sophos products and will be patched in others. Companies
running Sophos anti-Virus version 3.96.0 on Windows, Unix, NetWare, OS/2 and
OpenVMS are not affected. Also unaffected is Sophos Anti-Virus 4.5.4.
The company didnt give specifics, but the flaw is due to a heap overflow
bug when analysing malformed files. An attacker could exploit the bug via a
specially crafted e-mail attachment to execute malicious code and take over