Netscape Communicator JPEG May Run Arbitrary Code
Reported July 24, 2000 by Solar Designer

VERSIONS EFFECTED
Netscape Communicator 3.0 through 4.73 as well as Mozilla M15 -- versions 4.74 and M16 do not exhibit the bug

DESCRIPTION

The JPEG interchange format provides for a two-byte comment length field within the body of the data, however that field is not checked for a proper value in the affected versions of the product. Because of that programming oversight it may be possible to overwrite the heap to cause arbitrary code to execute on the system. The problem affects the mail, news, and Web components of Communicator.

VENDOR RESPONSE

Upgrade to a more current version.

CREDIT
Discovered by Solar Designer