Mosaic Security Issues and Responses

  1. Mosaic 2.2, and all previous version of the NCSA Mosaic for the X Window System have a serious security hole that allows telnet URLs to execute an arbitrary UNIX command. The immediate action was to inform people how to disable telnet URLs. As of Mosaic 2.3 this bug has been fixed, for more information read about the details of the telnet URL problem.

  2. There was once a concern with Mosaic using ghostview as a postscript viewer, because postscript can be insecure. The new version of ghostscript (Version 2.6.1) used by ghostview runs in secure mode by default, so this is no longer an issue.

  3. There is a way (involving reconfiguration of both client and server) to have Mosaic execute any arbitrary shell script that is passed over the network. This is a documented feature that cannot be activated accidentally, you should read about Executing Shell Scripts in Mosaic before activating this feature.

THAT IS ALL! If there are any other security problems that any of you know of, PLEASE MAIL US! If you post security concerns to the net, please be kind enough to be specific. Vague alarmist postings just make more busy work for us.

Eric Bina (ebina@ncsa.uiuc.edu)