Notified: March 30, 2001 Updated: April 12, 2001
We have concluded that the bug, as described below, does NOT affect Netscape clients 4.x and 6.x for the following two reasons: We ALWAYS verify that the user wants to open/launch the attachment with a link. The user must click this link to view/launch the attachment. Also, we ALWAYS stay true to the MIME type given. Therefore, if someone sent a malicious .exe file, and manually changed the MIME type to image/gif, Netscape would open the file as a gif. The result would be garbled binary code. As a result of our forced check for user authorization (bullet #1) we assume that the bug in question does not affect us.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.