This does not mean there are none in Netscape's Navigator or in Microsoft's Internet Explorer. Rather, my available time is being spent on other, more important pursuits.
If you insist on doing so, I'll have to insist on billing you. And you can't afford me.
The press had a spotty record of reporting correctly on this as it happened in 1996. I've prepared a small report on the stories I've seen. I'm amazed at how inaccurate some of the stories are! You'd think that they would have at least read some of what I've written! If you see an article in the press mentioning these pages, please let me know (John LoVerso).
Want the latest on security exploits? I suggest a visit to George Guninski's Security Resarch pages. I consider him exceptionally adept in finding problems. I'd like to think that if I had ever stayed this course (rather than getting back to real work) I might be discovering and reporting as many problems as George!
It was alarming that the fix for this, a release of 4.01, was only initially made for Windows 95. This left every other platform vulnerable. However, by 4.03 (and/or 4.03b8 on many platforms) this bug was fixed.
I held off releasing the exploits for the March 18 and March 21 bugs partially because they are nasty problems and partially because Netscape asked me to. Even though they were both fixed in both 3.0 ``preview releases'', I've waited until 2.02 was released. Hence, they are now linked in below.
As of May 1, I have made this exploit available.
As of May 5/1, I have made this exploit available.
Anyway, utilizing a Save File dialog as the initiator, this lets me build a history tracker that works with 2.01. I've created a sample exploit. This writes the the same log as my 2/22 tracker, so use this to view the tail of the logfile.
Note that with 2.01, the 1x1 window previously used ends up being bigger, so you can easily see it flash. And, the ``stuck onload'' gets unstuck by visiting another page with an onLoad() tag. This may not be a very intriguing way to spy on someone.
document.open("Can I write to your disk?") document.write("<censored>") document.close()
Try my example.
Note that the file never gets closed until you exit Netscape, so small writes tend to get buffered up and not output.
You can read the original article I posted to the RISKS Forum on this problem. That whole issue is also available in the archive in the UK. Another article of interest appeared Keith Dawson's TBTF on Feb 27, 1996.
This is fixed in Netscape-2.01.