Netscape, Microsoft probe security flaws

Security flaws have popped up involving the use of Java in Netscape Communications Corp.'s Navigator browser, and Microsoft Corp. is investigating a Trojan-horse-style intrusion in Word documents.

The Netscape bug, "Brown Orifice," lets an unsigned Java applet read and dispense files from a users' computer. The issue can be prevented by disabling Java, but Sun Microsystems Inc. and Netscape are working on confirming and finding a solution for the bug.

"The fact that the code is out there published means any script kiddie can copy this and plug it into a Web site infrastructure and compromise a site," said Chris Rouland, a director of the X-Force security group at Internet Security Systems, Atlanta. "We consider it a serious attack tool because the first day of any attack is information-stealing."

Rouland said all versions of Netscape Navigator and Netscape Communicator versions 4.74 and earlier are defenseless when the Java applet is enabled.

The flaw is not contained within Netscape 6.0, which Netscape plans to release later this year, according to Andrew Weinstein, a spokesman for America Online Inc., which owns Netscape.

The company posted Netscape 6.0 Preview Release 2 as a free download on Tuesday. The beta release adds more customization, security and mail features.

The Microsoft security problem, reported by bug-finder Georgi Guninski, involves Word documents, either as e-mail attachments or opened through Web sites, that would use the Mail Merge function of Word to open an Access database owned by the malicious user and run code on the victim's computer. Data could be exposed or the malicious user could take over the computer altogether, according to Guninski.

The bug can be avoided if a user has implemented the Office Mail security update from three months ago or the Office Document Open Confirmation (ODOC) tool, both of which create a prompt before opening Word documents from Web sites.

The recent Outlook security update also addresses the issue, but that the best way to avoid the whole situation is to carefully consider any files you are asked to place on your computer, according to Scott Culp, product manager for Microsoft's security response team.

Copyright 2000 InfoWorld, International Data Group Inc. All rights reserved.

Featured

  • Oversight
    President of the United States of America, Donald J. Trump, attends the 2019 Army Navy Game in Philadelphia, Pa., Dec. 14, 2019. (U.S. Army photo by Sgt. Dana Clarke)

    Trump shakes up official watchdog ranks

    The White House removed an official designated to provide oversight to the $2 trillion rescue and relief fund and nominated a raft of new appointees to handle oversight chores at multiple agencies.

  • Workforce
    coronavirus molecule (creativeneko/Shutterstock.com)

    OMB urges 'maximum telework flexibilities' for DC-area feds

    A Sunday evening memo ahead of a potentially chaotic commute urges agency heads to pivot to telework as much as possible.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.