Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Netscape 4 Java buffer overflow

Netscape 4 Java buffer overflow

by Nikola Strahija on November 26th, 2002 The Java implementation of Netscape 4 contains a buffer overflow vulnerability. Arbitrary code may be run on a Netscape user's system when a web page containing a malicious applet is viewed.


The buffer overflow happens in the method canConvert() of the class
sun.awt.windows.WDefaultFontCharset. An applet may trigger the overflow
by passing a long string to the constructor of the class and invoking the
method canConvert() on the created instance. In Java:

new WDefaultFontCharset(long_string).canConvert('x');

The vulnerability is trivial case of buffer overflow. Its
exploitability has been confirmed with an exploit which runs a program
when a web page is viewed.

Netscape 4 has a very limited user base nowadays. Other Netscape
versions use Sun Microsystem's Java Plug-in so they aren't vulnerable.
This vulnerability only affects the Windows platform which limits the
number of vulnerable systems further. The vulnerability doesn't appear
exploitable on other browsers. Netscape and Sun Microsystems were
informed about the problem in August 2002. Netscape 4 users can protect
themselves from the flaw by disabling Java in Preferences.



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »