Article 30052 of alt.security:
Path: nntpd.lkg.dec.com!crl.dec.com!crl.dec.com!caen!hookup!solaris.cc.vt.edu!news.mathworks.com!uunet!in2.uu.net!news.sprintlink.net!news.clark.net!news.clark.net!not-for-mail
From: rjc@clark.net (Ray Cromwell)
Newsgroups: comp.infosystems.www.misc,sci.crypt,alt.security
Subject: Web Browser Bugs (security hole, be aware)
Date: 26 Sep 1995 19:59:51 -0400
Organization: Clark Internet Services, Inc.
Lines: 32
Message-ID: <44a45n$ago@clark.net>
NNTP-Posting-Host: clark.net
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Xref: nntpd.lkg.dec.com comp.infosystems.www.misc:37824 sci.crypt:44364 alt.security:30052

  Last Friday I discovered a buffer overflow bug in Netscape which
allows overlong URLs (long domain names) to overflow a buffer
and put garbage on the process stack. [see article in the WSJ and NYT]
Since then, other cypherpunks have verified that this bug exists in
Mosaic and IBM's WebExplorer.

  If you are the author of a Web Browser, please check your code for
potential buffer overflows in the URL processing section. Especially
any code that assumes a fixed sized domain name!

  Although an exploit hasn't been produced yet, personally I have been
able to modify the PC register on my machine using a special URL. All
that's needed is to add some assembly code, and arbitrary instructions
can be executed on anyone's browser that executes that URL.

  In fact, it can hit you without even seeing it. If it was just a hyperlink
in a document, you could look at it before you click on it and see
that it is malformed. However, a server could just as easily return
a malformed dangerous URL via server redirection, and you'd never see
it coming.

  If a working exploit is possible, this is a significant security hole.
Imagine clicking on a URL and having it erase all your files, or
infect you with a virus, or steal company information right through
your firewall.


  The reason I am posting this, is because I haven't seen any alerts
about it on other mailing lists or security groups.  

-Ray