Netscape Communications Corporation Information for VU#980499
Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML
- Vendor Information Help Date Notified: 30 Mar 2001
- Statement Date:
- Date Updated: 12 Apr 2001
We have concluded that the bug, as described below, does NOT affect Netscape clients 4.x and 6.x for the following two reasons:
- We ALWAYS verify that the user wants to open/launch the attachment with a link. The user must click this link to view/launch the attachment.
- Also, we ALWAYS stay true to the MIME type given. Therefore, if someone sent a malicious .exe file, and manually changed the MIME type to image/gif, Netscape would open the file as a gif. The result would be garbled binary code.
As a result of our forced check for user authorization (bullet #1) we assume that the bug in question does not affect us.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.