ALARM Group ALERT - click for a description of ALARM, The Computing Alert System Alert Number:  091905-01 Alert Date:  09/19/05 Alert Title:  Netscape and Mozilla Browser Vulnerability Update-to:  None OS/Platform/Application:   Current versions (v8.0.3.3) of Netscape Browser and Mozilla Suite/Firefox web browser (1.0.6) Category:  ALERT Severity:  None Attention:  Netscape and Mozilla product users, Desktop Support Personnel

Summary: Information about a flaw in the method used by Netscape and Mozilla web browsers to handle malformed URL addresses has been publicly reported to several Internet security websites and resources.  Exploitation of this vulnerability could result in application crash or execution of arbitrary code, leading many organizations to list this vulnerability as 'critical'.  Mozilla is offering a security patch and manual browser configuration instructions (links provided below) as workarounds to this vulnerability.  At the time of this writing Netscape has not released a patch but some security resources are reporting that the manual browser configuration used on the Mozilla product can be implemented on the Netscape browser as well.

Recommended Actions:  Mozilla users are encouraged to consider the installation of the security patch or reconfigure their browsers as per the instructions supplied by the vendor.  Netscape users are encouraged to consider implementing their browsers using the instructions provided by Mozilla.

ITS-Wide Actions: ITS is taking no specific additional actions to counter the vulnerabilities detailed in this message.  An update will be issued if this situation changes.

Resources:

Mozilla security advisory (includes patch and manual browser configuration instructions):
https://addons.mozilla.org/messages/307259.html

SANS handler information detailing cross-compatibility of Mozilla and Netscape browser configuration):
http://isc.sans.org/diary.php?date=2005-09-11

US-CERT Advisory:
http://www.kb.cert.org/vuls/id/573857