N97042b: Shockwave Sicherheitsluecke veroeffentlicht Eure Emails! Diese Woche ist nun offenbar Netscape mit einem gravierenden Sicherheitsproblem an der Reihe. Es betrifft Anwender, die das verbreitete und preisgekroente Macromedia Shockwave Plug-In installiert haben. Ein boeswilliger User kann des Websurfers private Email - inklusive angeblich geloeschter Messages - ohne dessen Wissen lesen und kopieren und sogar firmeninterne Webserver hinter Firewalls erreichen. David de Vitry, ein Softwareentwickler, entdeckte das Sicherheitsproblem und verkuendete am Montag auf seiner Website http://www.webcomics.com/shockwave, dasz fuer Netscape-User mit installiertem Shockwave Plug-In Gefahr im Verzug sei. Die Freeware Shockwave ist derzeit auf mehr als 20 Millionen Computern installiert. Um den Fehler zu demonstrieren, installierte de Vitry eine Website http://www.webcomics.com/shockwave/mail.html, die beweist, wie ein Webserver an Eure Emails alleine durch den Verbindungsaufbau kommen kann - es muessen keine Links oder Formulare angewaehlt werden. Durch die Benuetzung des Standardpfades C:/Program Files/Netscape/Navigator/Mail/Inbox und durch das Senden einer mailto: Anfrage mit Shockwaves getnettext-Befehl koennte ein Cracker ein Shockwave-Movie entwickeln, welches die Emails des Users ausliest. Mit einigen wenigen weiteren Befehlen koennten die Daten zum Webserver zurueckgesandt werden. Durch Auswechseln der Pfadangabe von .../Inbox nach .../Trash koennten dann auch Daten uebertragen werden, die eigentlich als geloescht gedacht waren. Das Opfer mueszte den Netscape Navigator 3.0 oder 2.0 unter Windows 95 oder Windows NT benuetzen und das Netscape Email-Programm verwenden. Beide betroffende Firmen wurden Dienstag abend benachrichtigt, und keine war zu einer Stellungnahme bereit. Hier der vollstaendige Artikel, der auch unter http://www.wired.com/news/ abgerufen werden kann: Shockwave Security Hole Leaves Email Exposed by Michael Stutz 10:02am 13.Mar.97.PST Last week, the Web security booby prize went to Microsoft Internet Explorer. This week, it's Netscape's turn. The latest hole to be added to the list of recent security gaffes involves Macromedia Shockwave and Netscape Navigator. A malicious user can read and copy a Web surfer's private email - including supposedly deleted messages - without their knowledge, and even access internal Web servers behind corporate firewalls. David de Vitry, an application developer at Poppe Tyson Interactive, discovered the security hole and announced Monday on his Web site that Netscape users who have installed Macromedia's Shockwave plug-in are at risk. Shockwave was recently awarded Best World Wide Web Plug-In by the Software Publisher's Association. Macromedia claims the free software is installed on more than 20 million desktops. To demonstrate the flaw, de Vitry set up a Web page that shows how a Web server can obtain your email upon connecting - no links or forms need be selected. "I was just browsing my Netscape Mail and I discovered how Netscape handles addressing email," said de Vitry, referring to Netscape's use of the mailbox URN. "It took me by surprise, and [the means] to implement [the hole] just sort of clicked with my Shockwave experience." Utilizing the default path to a Windows user's mailbox - C:/Program Files/Netscape/Navigator/Mail/Inbox - and sending a mailto: query with Shockwave's GETNETTEXT command, a cracker could develop a Shockwave movie that reads the user's current email. With a few more commands, that email could be saved to a data variable and sent back to the Web server, where it could be copied and saved. By changing the path from the Inbox to, say, the Trash, a Shockwave movie could then retrieve email messages that were thought deleted by the user. "It's much like accessing a file, because you're just accessing a mail file. With the mailbox URN you can access any file on the system as long as its in the same format, which is text with email headers," said de Vitry. "Because of the security model, Java applets can't access files on your computer. Shockwave doesn't have the same security model," said de Vitry. "Unlike the other [recent security holes], which allowed you to erase a person's hard drive (and, through complicated means, obtain information), this one you can easily get information back. It has interesting uses." Using these same concepts, it's possible to break the security of corporate firewalls. "The other main vulnerability," said de Vitry, "is the fact that it can use [the Web's] hypertext transfer protocol to access any Web server." Including those on secure intranets - provided you know the URL. The victim must be using Netscape Navigator 3.0, or possibly 2.0, on either the Windows 95 or Windows NT platform, and have Macromedia's Shockwave plug-in installed. Finally, Netscape Email must be used as the email interface. While de Vitry claims he informed both Netscape and Macromedia late Tuesday night, neither company has contacted him. Dave Kennedy, research team chief with the National Computer Security Association, commented that "[The security breach] doesn't surprise me, and I predict it will happen more in the future. Internet Explorer had three last week, Java had one, and now it's Netscape's turn in the barrel. "I have more confidence in Netscape than Internet Explorer with respect to the security of their different products," said Kennedy. "But with the plug-in problem, my peers in the security community are scared of the implications of the increased user functions without regard to security," he said. Shockwave is Macromedia's proprietary technology for delivering and experiencing multimedia over the Web for Windows or Macintosh computers. The plug-in modules are created with Macromedia's Director multimedia authoring tool. As of Wednesday evening, Mary Leong of Macromedia said the company had been unaware of the bug. "The Shockwave team are now in investigation mode in full force," she said. "We'd really like the opportunity to verify this, and then offer insight or solution if applicable," she said. Netscape could not be reached for comment.