Netscape releases four critical patches

Netscape has released a series of fixes for serious security flaws in its browser and, incredibly, listed a further 10 that it has yet to patch.

The Netscape 8.0.3.1 update repairs the most serious security flaws in Firefox, on which Netscape is based, the company said. But it also stated that the current version of Netscape 8 also contains 10 other flaws that will be fixed in the coming weeks.

The company said it wanted to fix the most serious flaws first. Of those more serious holes, one involves the way external applications such as media players open "javascript:" Web addresses within the browser. It can be exploited to run malicious script code in the content of any site. The same bug can be used to execute script code with escalated privileges in a media player application.

Another flaw involves shared function objects, and could allow Web content scripts to execute malicious code with escalated privileges, Netscape said. Independent security organizations such as French Security Incident Response Team (FrSIRT) and Secunia have said these bugs are highly critical.

A third fix involves the way the browser sets images as the wallpaper on a PC. The "Set As Wallpaper" option doesn't properly verify image URLs, so that a user can be tricked into setting a "javascript:" URL as the wallpaper, potentially resulting in the execution of malicious code, according to an advisory from Secunia.

The update contains a fourth fix whose purpose hasn't been disclosed, according to FrSIRT. The update is available from Netscape's Web site.

Netscape 8 first launched in May and had to be patched a day after launch because a number of security patches had been mistakenly left out of the initial version. Netscape has also released a second round of security fixes and a patch for a bug that interfered with XML rendering in Microsoft Internet Explorer.