The Java implementation of Netscape 4 contains a buffer overflow
vulnerability. Arbitrary code may be run on a Netscape user's system
when a web page containing a malicious applet is viewed.
The buffer overflow happens in the method canConvert() of the class
sun.awt.windows.WDefaultFontCharset. An applet may trigger the overflow
by passing a long string to the constructor of the class and invoking the
method canConvert() on the created instance. In Java:
new WDefaultFontCharset(long_string).canConvert('x');
The vulnerability is trivial case of buffer overflow. Its
exploitability has been confirmed with an exploit which runs a program
when a web page is viewed.
Netscape 4 has a very limited user base nowadays. Other Netscape
versions use Sun Microsystem's Java Plug-in so they aren't vulnerable.
This vulnerability only affects the Windows platform which limits the
number of vulnerable systems further. The vulnerability doesn't appear
exploitable on other browsers. Netscape and Sun Microsystems were
informed about the problem in August 2002. Netscape 4 users can protect
themselves from the flaw by disabling Java in Preferences.
Jouko Pynnönen
jouko@solutions.fi
