======================================================================= Netscape Navigator 1.22 (Windows) ======================================================================= Netscape Navigator 1.22 is subject to the terms detailed in the license agreement accompanying it. *********************************************** IMPORTANT! Before going any further, please read and accept the terms in the file LICENSE. *********************************************** Release notes for this version of the Netscape Navigator are available online. After starting the program, select "Release Notes" from the "Help" menu. This will take you to the URL http://home.netscape.com/eng/mozilla/1.2/relnotes/windows-1.22.html which lists new features and known problems of this release. To submit bugs or other feedback, use the "How To Give Feedback" option, also in the "Help" menu, which will take you to the URL http://home.netscape.com/home/how-to-give-feedback.html ======================================================================= Security Fix Description ======================================================================= TECHNICAL BACKGROUND Netscape Navigator uses random information to generate session encryption keys of either 40 or 128 bits in length. The random information is found through a variety of functions that look into a user's machine for information about how many processes are running, process ID numbers, the current time in microseconds, etc. Previous releases of Netscape Navigator were vulnerable because the size of random input was less than the size of the subsequent keys. This means that instead of searching through all the 2^128 possible keys by brute force, a potential intruder only had to search through a significantly smaller key space by brute force. This was a substantially easier problem to solve because it takes much less compute time and means 40-bit or 128-bit key strength is substantially reduced. SOLUTION Netscape Navigator 1.22 (Windows), 1.12 (Macintosh and Unix), 1.12I (localized builds for all 3 platforms) fixes the specific portion of our software where this vulnerability existed. We have significantly increased the amount of random information that cannot be discovered by external sources from approximately 30 bits to approximately 300 bits. Netscape has greatly expanded the techniques and sources used to generate the random information. The number of unpredictable bits in the RNG makes it no lnoger the weak link in the chain. ======================================================================= Installation Instructions ======================================================================= * Installation Version 1.22 is being distributed as both a 16-bit Windows program and a 32-bit windows program. If you are running Win3.x you must use the 16-bit version even if you are running Win32s, because the 32-bit version makes use of 32-bit API calls not supported by Win32s. Both the 16-bit and 32-bit versions includes an installation program. To install Netscape run the setup.exe program. The Netscape installation program will install Netscape in a directory of your choice, add a Netscape section to your WIN.INI file, and create a Program Manager group and item. The 32-bit Netscape Navigator stores preferences in the system registry. * Please read the release notes under "Help -> Release Notes". ======================================================================= MAPI Installation ======================================================================= MAPI is now available in the 32bit version of the Navigator in Win 95 for Mail and News. This is only for Windows 95 and not NT. As you know MS Exchange is a mail application, it stores and orginizes your mail. Just like MS Mail, Netscape Internet Transport is a messaging service, but different than MS Mail, and it allows you to send and receive internet e-mail and post news messages in Netscape. Enabling the option "Use Exchange client for Mail and News" will not work correctly unless Netscape Internet Transport in Configured for MS Exchange app in Control Panel. To configure MAPI, you will need to do the following if you don't have MS MAIL already configured. 1) Adding Netscape Internet Transport a) go to the Control Panel b) double click on Mail/Fax icon c) click on the Add button d) Select Netscape Internet Transport, click on Next at this point follow the Inbox Setup Wizard. f) When you are done, click on Properties and make sure that Netscape Internet Transport is list under Services. To configure MAPI when you have MS MAIL already configured do the following. 1) Adding Netscape Internet Transport to your existing Profile a) go to the Control Panel b) double click on Mail/Fax icon c) click on the Add button d) Select Netscape Internet Transport under the list of available Information Services. Click on OK e) Fill out the the forms for USERS and HOST. Click OK 2) Adding Netscape Internet Transport to a new Profile a) go to the Control Panel b) double click on Mail/Fax icon c) click on Show Profiles d) click on Add e) Select Netscape Internet Transport, click on Next f) enter the Profile Name at this point follow the Inbox Setup Wizard. g) When you are done, click on Properties and make sure that Netscape Internet Transport is list under Services. If you don't have MS Exchange already installed and you have already installed the Netscape Navigator, you will need to reinstall the Navigator once you have installed MS Exchange. ======================================================================== Win32s ======================================================================== If you are running version 1.15 or below of Win32s, you will be unable to install the Netscape Navigator unless you upgrade to version 1.20 of Win32s or you remove Win32. You can determine which version of Win32s you have in one of two ways: - check the WIN32S.INI file in your Windows system directory - if you are running Windows for Workgroups, select the WIN32S16.DLL file from the Windows system directory in File Manager. Then from the File menu, choose Properties. The Version line contains the major version and the build number. To remove Win32s, do the following: 1. Remove the following line from the [386Enh] section in the SYSTEM.INI file: device=\\win32s\w32s.386 where and are where the Windows and System directories are, respectively. 2. Remove winmm16.dll from the following line from the [BOOT] section in the SYSTEM.INI file: drivers=mmsystem.dll winmm16.dll 3. Delete the following files from the \ subdirectory: W32SYS.DLL WIN32S16.DLL WIN32S.INI 4. Delete all the files in the \\WIN32S subdirectory. Then delete the subdirectory itself. 5. Restart Windows. Here's how you can obtain Win32s version 1.20 which Microsoft refers to as application note PW1118: To obtain this Application Note (number PW1118) and the files included with it, download PW1118.EXE, a self-extracting file, from the Microsoft Software Library (MSL) on the following services: - CompuServe GO MSL Search for PW1118.EXE Display results and download - Microsoft Download Service (MSDL) Dial (206) 936-6735 to connect to MSDL Download PW1118.EXE - Internet (anonymous FTP) ftp ftp.microsoft.com Change to the \SOFTLIB\MSLFILES directory Get PW1118.EXE ======================================================================= OLE 2.02 ======================================================================= The Netscape install program for Windows 3.1 and Windows for Workgroups will install the following OLE2 files into the Windows System directory if either there is no existing DLL or the existing DLL is older: COMPOBJ.DLL 108544 10-10-94 MFCOLEUI.DLL 146976 1-13-95 OLE2.DLL 302592 10-10-94 OLE2.REG 27026 10-10-94 OLE2CONV.DLL 57328 10-10-94 OLE2DISP.DLL 164832 10-10-94 OLE2NLS.DLL 150976 10-10-94 OLE2PROX.DLL 51712 10-10-94 STDOLE.TLB 4304 10-10-94 STORAGE.DLL 157696 10-10-94 TYPELIB.DLL 177216 10-10-94 ======================================================================= International ======================================================================= The Netscape installer will overwrite existing OLE2 DLLs with the latest versions for US Windows. This will not affect 32-bit Windows. For 16-bit Windows, the only difference between the US and the Japanese versions are the internationalization of error strings. Occasionally, the Japanese user may see an English language OLE2 error message after installing Netscape. Currently, there are no Japanese versions available for the OLE2 DLLs. Netscape is working with Microsoft to make the Japanese version of the OLE2 DLLs available. ======================================================================= Running Netscape ======================================================================= What do I need to run Netscape Navigator? You must have a direct Internet connection before you can use Netscape. The ability to send and receive e-mail does not necessarily mean you can run Netscape. There are three requirements for Netscape Navigator 1.22: 1. A direct Ethernet connection to the net, or a dialup SLIP or PPP account from an Internet service provider. 2. TCP/IP stack 3. Netscape Navigator software You can get a direct connection to the Internet through a service provider in your area. You will need to get a SLIP or a PPP account from an Internet provider (for a dialup account). When you have full Internet connectivity, you need to have a TCP/IP stack, dialer, and WINSOCK.DLL file. ======================================================================= Cannot Find WINSOCK.DLL ======================================================================= If you get the error message "Cannot find WINSOCK.DLL" when running Netscape Navigator that means your computer is looking for the WINSOCK.DLL file, which is part of a winsock package (also includes dialer, TCP/IP stack). A winsock package makes it so that your PC can talk TCP/IP, which is necessary for Netscape to run. See the "Running Netscape" section for details on running the Netscape Navigator, and the "Obtaining a Winsock Package" section for suggestions on obtaining a winsock package. ======================================================================= Obtaining a Winsock Package ======================================================================= You can get the shareware winsock package, which is called Trumpet Winsock from http://www.trumpet.com.au/wsk/winsock.htm Other winsock packages which we have tested without problems are: FTP Software's PC/TCP NetManage Microsoft WFW (Wolverine) Microsoft NT Network TeleSystems (NTS) Implementation (general): Put the winsock in its own directory, for example, C:\WINSOCK, and include the directory in your DOS PATH statement. Enter Windows, create a group in the Program Manager for all files with your winsock program. Please be sure that the Netscape directory is in your path located in your autoexec.bat file. You may need to add: PATH=C:\(name of the directory where netscape is located) After making this change, save the file and reboot your computer.