CVE-2002-2061

Vulnerability

Heap-based buffer overflow in the PNG image decoder of Netscape 6.2.3 and Mozilla 1.0 and earlier. A crafted PNG image with large width and height values combined with an 8-bit or 16-bit alpha channel triggers the overflow [1]. The vulnerability resides in the handling of PNG image dimensions and alpha channel data during rendering.

Exploitation

An attacker can exploit this remotely by hosting a malicious PNG image on a website or embedding it in an email. The victim must load the image in the affected browser. No additional authentication or user interaction beyond normal browsing is required [1]. The crafted image causes a heap overflow when the browser attempts to allocate memory for the image based on the manipulated dimensions.

Impact

Successful exploitation leads to a browser crash, and code execution with the privileges of the user running the browser is possible. This can result in full system compromise, including data theft and malware installation [1]. The vulnerability allows arbitrary code execution in the context of the affected application.

Mitigation

Mozilla developers fixed the issue in Mozilla 1.0.1, released on July 23, 2002 [1]. Netscape users should upgrade to the latest available version of Netscape or switch to a supported browser. No workaround other than avoiding untrusted PNG images is available. This CVE is not listed on the KEV.