IP: Potentially Big Security Flaw Found in Netscape Software
--- begin forwarded text Delivered-To: ignition-point@majordomo.pobox.com X-Sender: believer@telepath.com Date: Mon, 28 Sep 1998 11:24:13 -0500 To: believer@telepath.com From: believer@telepath.com Subject: IP: Potentially Big Security Flaw Found in Netscape Software Mime-Version: 1.0 Sender: owner-ignition-point@majordomo.pobox.com Precedence: list Reply-To: believer@telepath.com Source: New York Times http://www.nytimes.com/library/tech/yr/mo/biztech/articles/28java.html September 28, 1998 Potentially Big Security Flaw Found in Netscape Software By JOHN MARKOFF SAN FRANCISCO -- A potentially serious security flaw has been discovered in the programming language used in the Navigator and Communicator software of the Netscape Communications Corp., with the defect possibly allowing an outsider to read information on a personal computer user's hard disk. The weakness, which was disclosed in Usenet online discussion groups on Friday by Dan Brumleve, a 20-year-old independent computer consultant in Sunnyvale, Calif., can be exploited by the Javascript programming language, which is widely used by World Wide Web page developers for a variety of common tasks. Brumleve said that he had tested the attack on a range of Navigator and Communicator programs, up through the most recent test version of Communicator, 4.5, and found the flaw in all of them. The vulnerability does not affect the Microsoft Explorer browser and e-mail program, Brumleve said. He was able to take advantage of the vulnerability by writing a 30-line piece of Javascript code that is able to capture and copy information automatically from the so-called cache, or temporary storage area, on a PC's hard disk. The captured information can reveal which Web sites a computer user has recently visited. The captured information could also include data that a computer user might have created when communicating with a Web site -- including personal data typed in when registering at a site or conducting a retail transaction. Credit card information, however, would not be revealed, because it is protected by separate security software. "It concerns me, because it means that a high-traffic Web site might use this to find out what other Web sites their visitors are going to," Brumleve said in a telephone interview Sunday. He said that the flaw could also be used by an employer to see if employees were searching for pornography, for example. Although there is no evidence that the security flaw has actually been exploited by someone with harmful intent, the gravity of the threat was noted by other computer security specialists. They noted that a user's vulnerability extends beyond visiting a hostile Web site that might exploit the flaw. The flaw could also be exploited through e-mail received using Netscape's software, they said, by sending an intended victim an e-mail message that would secretly force the user to run an illicit Javascript program. "This is pretty scary," said Richard M. Smith, president of Phar Lap Software Inc., a software development company in Cambridge, Mass. "In some sense the cache on your computer tells a lot about your life." Privacy of personal information on the Internet has become an increasingly sensitive issue in recent years as many Web sites have begun systematically collecting demographic information on Internet users. But this newly discovered flaw could enable an unscrupulous person or organization to basically read a person's full Web history. "This is a huge privacy issue and it goes directly to the current lack of adequate technical standards to protect privacy on line," said Marc Rotenberg, director of the Electronic Privacy Information Center, a public policy group in Washington. "There's even a question of a company like Netscape might be liable for the improper disclosure of private information." Netscape said Sunday that it was still assessing the problem. "We're taking a look at the bug, which appears to have privacy implications," said Eric Byunn, a Netscape product manager. He said that the company would make an announcement soon about its plans for responding to the flaw. Copyright 1998 The New York Times Company ----------------------- NOTE: In accordance with Title 17 U.S.C. section 107, this material is distributed without profit or payment to those who have expressed a prior interest in receiving this information for non-profit research and educational purposes only. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml ----------------------- ********************************************** To subscribe or unsubscribe, email: majordomo@majordomo.pobox.com with the message: (un)subscribe ignition-point email@address ********************************************** www.telepath.com/believer ********************************************** --- end forwarded text ----------------- Robert A. Hettinga <mailto: rah@philodox.com> Philodox Financial Technology Evangelism <http://www.philodox.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
participants (1)
-
Robert Hettinga