Netscape Security

Bill Moseley moseley at netcom.com
Sat Dec 7 14:20:19 EST 1996


Here is another security tip when using Netscape & Windows:

One thing you want to control with Netscape is what "helper" applications
are setup to run with Netscape.  Helper applications are setup in
Netscape's General Preferences/Helpers screen.  Here you (or programs you
install) associate a MIME type with an external application (and file
extensions with MIME types).

For example, helpers can be used automatically un compress .ZIP files when
downloaded or to automatically start the Real Audio Player when you click
on a .ra file.

You should review the helper applications to make sure only the programs
you wish can run from within Netscape.  If you need to remove entire MIME
types (that are not hard-coded into Netscape) you must edit the
Netscape.ini file in Win 3.1 or the registry entries for Netscape in Win 95.

Not so well known is that Netscape also looks in WIN.INI for helper
applications to run (both Win 3.1 and Win 95) - and perhaps this is a
larger security hole.  Netscape will use its own "helper" settings first if
they exist for a file type, but if not it will use any associations in the
WIN.INI [Extensions] section.

When Netscape runs this type of helper application a warning message is
displayed saying "There is a possible security hazard", but the warning
also includes a check box to prevent that message from displaying again.
Checking this box adds the external helper application to a list of
"trusted" applications that Netscape maintains.

So, you should also check your WIN.INI [Extensions] section.  In Windows 95
you can delete the entire section (since associations are made using the
registry), but removing these in Win 3.1 will mean that you can't
double-click on a file in File Manager and open the associated application.
 (You can also disable without deleting by renaming the section - e.g.
[Extension] -> [oldExtensions].)

An example of how someone could take advantage of this security hole to run
command.com is:

1) replace your WIN.INI file with one that includes an additional line in
[Extensions]:
   AAA=command.com ^.AAA

2) load a file with an .AAA extension into Netscape using one of the
following:
     open a local file with the .AAA extension (file:///c|/file.AAA)
     ftp to a machine that has a .AAA file and click on it
     in Win 95 drag a .AAA file from a File/Save dialog onto Netscape's
window.

The obvious solution to protect against this problem is to make your
WIN.INI file read only.  Note:  Some HP printers (DeskJets) fail to work if
WIN.INI is set readonly in Win 3.1.

(Win 95 users: this will even bypass the "RestrictRun" policy settings.)

Granted, this is an unlikely event, but it does give one more reason to
backup.

Feel free to email me if you have questions.
Bill Moseley
mailto:moseley at netcom.com



More information about the Web4lib mailing list