Netscape, Microsoft probe security flaws
- By Brian Fonseca, Stephanie Sanborn
- Aug 10, 2000
Security flaws have popped up involving the use of Java in Netscape Communications
Corp.'s Navigator browser, and Microsoft Corp. is investigating a Trojan-horse-style
intrusion in Word documents.
The Netscape bug, "Brown Orifice," lets an unsigned Java applet read
and dispense files from a users' computer. The issue can be prevented by
disabling Java, but Sun Microsystems Inc. and Netscape are working on confirming
and finding a solution for the bug.
"The fact that the code is out there published means any script kiddie
can copy this and plug it into a Web site infrastructure and compromise
a site," said Chris Rouland, a director of the X-Force security group at
Internet Security Systems, Atlanta. "We consider it a serious attack tool
because the first day of any attack is information-stealing."
Rouland said all versions of Netscape Navigator and Netscape Communicator
versions 4.74 and earlier are defenseless when the Java applet is enabled.
The flaw is not contained within Netscape 6.0, which Netscape plans
to release later this year, according to Andrew Weinstein, a spokesman for
America Online Inc., which owns Netscape.
The company posted Netscape 6.0 Preview Release 2 as a free download
on Tuesday. The beta release adds more customization, security and mail
features.
The Microsoft security problem, reported by bug-finder Georgi Guninski,
involves Word documents, either as e-mail attachments or opened through
Web sites, that would use the Mail Merge function of Word to open an Access
database owned by the malicious user and run code on the victim's computer.
Data could be exposed or the malicious user could take over the computer
altogether, according to Guninski.
The bug can be avoided if a user has implemented the Office Mail security
update from three months ago or the Office Document Open Confirmation (ODOC)
tool, both of which create a prompt before opening Word documents from Web
sites.
The recent Outlook security update also addresses the issue, but that
the best way to avoid the whole situation is to carefully consider any files
you are asked to place on your computer, according to Scott Culp, product
manager for Microsoft's security response team.
Copyright 2000 InfoWorld, International Data
Group Inc. All rights reserved.