Netscape Guy wrote:
> "Moz Champion (Dan)" wrote:
>
>>> What I mean by their dead products is Netscape isn't
>>> developing them anymore.
>> Microsoft hasn't STOPPED updating XP for security issues
>
> But microsoft has stopped "developing" XP.
>
> Be more clear about what you mean by "developing" vs "updating".
Updating and 'developing' in response to CERT issues are relatively the
same thing. Microsoft is still updating XP for security issues. NO ONE
is updating Netscape (4x, 7x, 8x or 9x) for anything.
>
>> Microsoft doesn't expect to see the EOL (End of Life) for XP
>> until 2014.
>
> Actually, I think it's 2011 (10 years after it was released, which was
> Sept / 2001 if I'm not mistaken).
You are out of step, Microsoft has extended the EOL of Xp to 2014
>
>> They will continue to provide sup****t and updates until that time,
>> so no, XP is NOT DEAD.
>
> But is XP still being "developed" ?
'Develop' and 'Update' with relation to CERT security issues are
relative. If 'new' code has to be written to have XP contend with a new
CERT issue, then yes, 'development' will continue until EOL
>
>> CERT doesn't do***ent threats against outdated/non sup****tted
>> software.
>
> But where are the re****ts of vulnerabilities to Netscape 4.x (or 7.x)
> during the time-frame when those versions were current?
Why ask me? Why don't you ask the people who make the re****ts of
vulnerabilities where the re****ts are. CERT doesnt 'do' vulnerability
re****ts on outdated/non-sup****tted software.
>
> Where are *any* re****ts about the specific vulnerabilities that those
> versions have?
>
> (long rant about "non-sup****ted" stuff deleted)
>
> All I'm asking for is specific postings or do***entation as to what
> vulnerabilities Netscape 4.x or 7.x were re****ted or known to have.
Why don't you go to the CERT sites and look them up? Why would anyone
KEEP such re****ts when the software is no longer sup****tted?
>
> All I've seen here so far is hearsay that they had vulnerabilities.
>
> In fact, here is one source that (apparently) is still do***enting
> vulnerabilites for all versions of Netscape 4 and higher:
>
> http://secunia.com/product/83/?task=advisories
>
> And here is the list of vulnerabilities for Netscape 4.7x:
>
> http://secunia.com/product/83/?task=advisories
>
> Those vulnerabilities are as follows:
>
> Macromedia Flash Player Potential Vulnerabilities
> Vendor Patch. Secunia Advisory 1 of 2 in 2003
>
> Java access to protected fields or methods
> Vendor Patch. Secunia Advisory 2 of 2 in 2003
>
> MacroMedia FlashPlayer buffer overrun affects browsers too
> Vendor Patch. Secunia Advisory 1 of 4 in 2002
>
> Internet Explorer / Netscape / Java multiple vulnerabilities
> Vendor Patch. Secunia Advisory 2 of 4 in 2002
>
> Cross Site Scripting in multiple browsers
> Vendor Patch. Secunia Advisory 4 of 4 in 2002
>
> Netscape disclosure of preferences
> Unpatched. Secunia Advisory 3 of 4 in 2002
>
> Only the last of those really is the fault of Netscape 4.7x, and it
> remains unpatched. Details:
>
> http://secunia.com/advisories/7561/
>
> ---------------
> Description:
>
> Netscape stores the user preferences in a specific location. This
> allows an attacker to steal it using javascript, it is required
> however that the javascript is executed from a local drive or network
> share.
>
> This could possibly reveal the users real name, email account, email
> password and more.
>
> Solution:
>
> This is hardly a security issue, however we regard this as not being
> critical as it requires an attacker to have local network access and
> also requires some social engineering.
>
> An attacker who has come so far could do far more malicious things.
>
> Provided and/or discovered by:
> Discovered by Bennett Haselton
> Published by David Endler, iDEFENS
> ---------------
>
> That vulnerability is classified as not critical.
>
> The second-last vulnerability in the above list is some-what esoteric
> and does not really impact on the e-mail client aspect Netscape 4.7x.
>
> So again I ask:
>
> What do***ented e-mail handling or usenet news-reading/posting
> vulnerabilities does Netscape 4.7x have?
Dozens of such. Look in the archives for them. It is a non-sup****tted
application tho, and any vulnerabilities will not be addressed.
MOST of the new 'vulnerabilities' discovered that affect either
SeaMonkey or Thunderbird will also affect Netscape 7x in a similar
manner. Whether or not they affect Netscape Communicator 4x is unknown,
because no one is testing it any longer!
|
