mailing list archives
FF IDN buffer overflow workaround works in Netscape too
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Fri, 16 Sep 2005 01:27:09 +0300 (EEST)
Summary about Firefox IDN buffer overflow vulnerability workarounds in
[a new, more informative title used]
Instructions and methods described at Mozilla Foundation Security
Advisory "What Firefox and Mozilla users should know about the IDN
buffer overflow security issue"
https://addons.mozilla.org/messages/307259.html (yes, it was
http://www.mozilla.org/security/idn.html earlier) can be used in Netscape too.
This advisory has been included to security company advisories handling
this security issue and mentioned in the news widely.
Disabling IDN (Internationalized Domain Names) support via about:config
feature or prefs.js configuration file is possible in Netscape Browser 8
too. Additionally, .xpi file for Firefox and Mozilla Suite works in
Netscape 18.104.22.168 too. Test in Windows environment was successful and
even UA was changed to include '....Gecko/20050729 <<(No IDN)>>
However, the manual method is recommended.
Vendor developer team was contacted, no reply yet.
Like US-CERT says in Firefox VU#573857: "While implementing this
workaround does not correct the buffer overflow error, it prevents the
vulnerable portion of code from being exploited."
When an updated version of Netscape Browser 8 is available the download
link is http://browser.netscape.com/ns8/download/default.jsp
- FF IDN buffer overflow workaround works in Netscape too Juha-Matti Laurio (Sep 16)