Netscape Bug Uncovered (fwd)
Rachel Polanskis
rachel@juno.virago.org.au
Fri, 13 Jun 1997 16:15:43 +1000 (EST)
---------- Forwarded message ----------
From: "J. N. Burgess" <burgo1@ozemail.com.au>
Date: Fri, 13 Jun 1997 14:12:14 +1100
Newsgroups: aus.net.news
Subject: Netscape Bug Uncovered
This article is from the CNN Webpage
http://cnnfn.com/digitaljam/9706/12/netscape_pkg/
Netscape bug uncovered
Danish software firm finds flaw that
could let sites see data stored on PCs
From Correspondent Steve Young
June 12, 1997: 6:58 p.m. ET
NEW YORK (CNNfn) - A serious new flaw
that affects all versions of Netscape
Communications Corp.'s popular Navigator
Internet browser software -- including the final
test version of its Communicator Suite released
Wednesday -- has been uncovered by a Danish
software firm, CNNfn has learned.
The bug was reported by Cabocomm, a
software company located about 100 miles west
of Copenhagen, Denmark. The bug makes it
possible for Web-site operators to read anything
stored on the hard drive of a PC logged on to
the Web site.
After the firm reported the bug to CNN
Financial News, CNNfn and PC Magazine
tested the bug by creating and storing a
document on a PC's hard drive in New York.
Seconds later, the Danish company read it.
As further proof, CNNfn and PC Magazine
created another document which the Danish
company was also able to read.
Larry Seltzer, technical director of PC Labs,
was among those who helped verify the bug
report. He said it would take a somewhat savvy
computer user to exploit the bug.
"They have to be seeking information from your
system and they also have to know the file
name. It's not that hard for somebody who's
looking to make trouble, but they do have to be
looking for it," Seltzer said.
"It's serious in that it's in the [actual] browser
...whereas previous bugs generally required the
user to have downloaded an additional product,"
Jim Wise, UNIX administrator for CNNfn, said.
CNNfn's test showed that Internet security
firewalls offer no protection from the bug.
Mike Homer, vice president of marketing for
Netscape, said the company takes this and all
bug reports seriously. (83K WAV) or (83K
AIFF)
The Danish company says the reward of $1,000
and a T-shirt is "insultingly low" considering the
extent to which the bug report is likely to worry
Netscape users.
Cabocomm said it would accept "reasonable
compensation" for the technical information -- or
they can send a Netscape representative to
Cabocomm and get it for free.
CNNfn, PC Magazine and the Danish company
will not release technical details on the bug until
Netscape has prepared a bug fix.
The reason CNNfn is not reporting the specifics
of the bug is to avoid anyone exploiting it.
Until the bug is fixed, confidential letters,
business spreadsheets -- everything on your PC
-- can potentially be pilfered.
The Danish company says it won't exploit the
bug, but has no idea if someone else has found
the same bug and is compromising a system's
integrity
END OF ARTICLE
Is it a Bug or a design feature?????
defghijklmnopqrstuvwxyz: What? No ABC?
--
Rachel Polanskis Kingswood, Greater Western Sydney, Australia
grove@zeta.org.au http://www.zeta.org.au/~grove/grove.html
r.polanskis@nepean.uws.edu.au http://www.nepean.uws.edu.au/ccd/
Witty comment revoked due to funding cuts