Netscape, Microsoft probe security flaws

• By Brian Fonseca, Stephanie Sanborn
• Aug 10, 2000

Security flaws have popped up involving the use of Java in Netscape Communications Corp.'s Navigator browser, and Microsoft Corp. is investigating a Trojan-horse-style intrusion in Word documents.

The Netscape bug, "Brown Orifice," lets an unsigned Java applet read and dispense files from a users' computer. The issue can be prevented by disabling Java, but Sun Microsystems Inc. and Netscape are working on confirming and finding a solution for the bug.

"The fact that the code is out there published means any script kiddie can copy this and plug it into a Web site infrastructure and compromise a site," said Chris Rouland, a director of the X-Force security group at Internet Security Systems, Atlanta. "We consider it a serious attack tool because the first day of any attack is information-stealing."

Rouland said all versions of Netscape Navigator and Netscape Communicator versions 4.74 and earlier are defenseless when the Java applet is enabled.

The flaw is not contained within Netscape 6.0, which Netscape plans to release later this year, according to Andrew Weinstein, a spokesman for America Online Inc., which owns Netscape.

The company posted Netscape 6.0 Preview Release 2 as a free download on Tuesday. The beta release adds more customization, security and mail features.

The Microsoft security problem, reported by bug-finder Georgi Guninski, involves Word documents, either as e-mail attachments or opened through Web sites, that would use the Mail Merge function of Word to open an Access database owned by the malicious user and run code on the victim's computer. Data could be exposed or the malicious user could take over the computer altogether, according to Guninski.

The bug can be avoided if a user has implemented the Office Mail security update from three months ago or the Office Document Open Confirmation (ODOC) tool, both of which create a prompt before opening Word documents from Web sites.

The recent Outlook security update also addresses the issue, but that the best way to avoid the whole situation is to carefully consider any files you are asked to place on your computer, according to Scott Culp, product manager for Microsoft's security response team.

Copyright 2000 InfoWorld, International Data Group Inc. All rights reserved.