Last revised: November 9, 1999
Updated broken links.
A complete revision history is at the end of this file.
The vulnerability can be exploited even if the browser is behind a firewall and even when users browse "secure" HTTPS-based documents.
We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site.
II. ImpactThis vulnerability permits remote attackers to monitor a user's browser activity, including:
- observing the URLs of visited documents,
- observing data filled into HTML forms (including passwords), and
- observing the values of cookies.
A. Obtain and install a patch for this problem.See Appendix A for the current information from vendors. We will update the appendix when we receive further information.
Appendix A - Vendor InformationBelow is information we have received from vendors. We will update this appendix as we receive additional information.
Hewlett-PackardFor more information please refer to the Hewlett-Packard Security Advisory "Security Advisory in Netscape shipped with HP-UX", Document ID: HPSBUX9707-065.
Use your browser to get to the HP Electronic Support Center page:
(for US, Canada, Asia-Pacific, & Latin-America)
Click on the Technical Knowledge Database, register as a user (remember to save the User ID assigned to you, and your password), and it will connect to a HP Search Technical Knowledge DB page. Near the bottom is a hyperlink to our Security Bulletin archive. Once in the archive there is another link to our current security patch matrix. Updated daily, this matrix is categorized by platform/OS release, and by bulletin topic.
IBM CorporationNetscape for IBM's OS/2 Operating System is vulnerable. The vulnerable version and the patched version are both 2.02.
To tell if you need to download and reinstall, open the Netscape folder on the OS/2 desktop. Click on the icon marked "Installation Utility." When the "Installation and Maintenance" program starts, make sure "02.02.00 Netscape for OS/2" is highlighted and hit control-S. On the product status panel that opens up, highlight "Netscape Navigator" and then press the "Service Level" button next to it. Ignore the install date -- that's the date Navigator was installed. If "Level" is not "000004" or later, you should download Netscape Navigator for OS/2 from the above mentioned URL and install it.
MicrosoftMicrosoft Internet Explorer 3.* and 4.* are vulnerable. Microsoft has announced their patch plans for this problem at:
NetscapeNetscape Navigator/Communicator versions 2.*, 3.* and 4.* are vulnerable.
The CERT Coordination Center thanks Vinod Anupam of Bell Labs, Lucent Technologies, for identifying and analyzing this problem, and vendors for their support in responding to this problem.
Copyright 1997 Carnegie Mellon University.
Sept. 30, 1997 Updated copyright statement Sept. 17, 1997 Appendix A - updated Netscape's URLs Updated our copyright statement July 28, 1997 Appendix A - added information for Hewlett-Packard and IBM. Section III.A - slight wording change. July 14, 1997 Section III.B - fixed a typographical error. July 11, 1997 Updated Appendix A with vendor information for vulnerable browers. November 9, 1999 Updated broken links.