The New York Times, May 18, 1996, pp. 31, 43. New Netscape Software Flaw Is Discovered By John Markoff Computer science researchers at Princeton University said yesterday that they had discovered a new and potentially serious flaw in the Netscape Communicatlons Corporation's Navigator software, the leading program used to browse the World Wide Web of the Internet. The flaw, which was found in recent versions of the Netscape software that support Sun Microsystems' Java programming language, could allow people to write destructive or malicious programs and potentially destroy or steal data or otherwise tamper with a computer that was connected to the Internet and used the Navigator program. Netscape executives said that the researchers had been in touch with them about the problem on Thursday and that the software company was in the process of producing a new version of the Navigator program that would protect against potential attacks. This is the third flaw in the Navigator program discovered in recent months by the Princeton group. Netscape has been under tremendous scrutiny over the security of its popular software since the fall, when a group of researchers at the University of California at Berkeley discovered a flaw in the Netscape security system. In the most recent case, Thomas Cargill, an independent software consultant working with the Princeton group, discovered a problem in the way Netscape has used the Java language in its Navigator program. The group disclosed a similar flaw in March in the Netscape Navigator that would permit a Java program to run illicitly on a computer that was running the Netscape program and perform damaging operations. "Netscape has fixed a series of problems, and the overall security of their system has improved, but there is still some reason for concern," said Prof. Edward Felton, the leader of the Princeton group, which includes two graduate students, Drew Dean and Dean Wallach. Programs that are known as viruses and worms are a serious threat to computer networks because they can move from machine to machine quickly, carrying out destructive applications. Sun Microsystems' Java language has been designed to limit what a virus can do once it is transferred across the Internet. But the security mechanisms only work if the virus's code can be restricted in a safety "box" constructed out of software. Netscape's executives acknowledged yesterday that the Princeton University team had on both occasions been able to find doors that let program code out of the safety box. "We're trying to create a sandbox which has rooms where only certain things happen," said Jeff Trehaft, Netscape's director of security. "What happened is that the Princeton team found a door and it turned out that there weren't adequate protections surrounding the door." The company said it was in the process of posting on the Internet a new version of the most recent test version of its next-generation Internet program, version 3.0 beta. The program contains a special fix to prevent the new attack. He said Netscape had not yet posted a fix for the most recent commercial release of its software, version 2.02, but was instead encouraging customers to use the 3.0 beta software. Since the Berkeley researchers discovered the first security flaw the company has offered a $1,000 "bugs bounty" to programmers who are able to locate security flaws. [End]