Netscape, Microsoft probe security flaws

Security flaws have popped up involving the use of Java in Netscape Communications Corp.'s Navigator browser, and Microsoft Corp. is investigating a Trojan-horse-style intrusion in Word documents.

The Netscape bug, "Brown Orifice," lets an unsigned Java applet read and dispense files from a users' computer. The issue can be prevented by disabling Java, but Sun Microsystems Inc. and Netscape are working on confirming and finding a solution for the bug.

"The fact that the code is out there published means any script kiddie can copy this and plug it into a Web site infrastructure and compromise a site," said Chris Rouland, a director of the X-Force security group at Internet Security Systems, Atlanta. "We consider it a serious attack tool because the first day of any attack is information-stealing."

Rouland said all versions of Netscape Navigator and Netscape Communicator versions 4.74 and earlier are defenseless when the Java applet is enabled.

The flaw is not contained within Netscape 6.0, which Netscape plans to release later this year, according to Andrew Weinstein, a spokesman for America Online Inc., which owns Netscape.

The company posted Netscape 6.0 Preview Release 2 as a free download on Tuesday. The beta release adds more customization, security and mail features.

The Microsoft security problem, reported by bug-finder Georgi Guninski, involves Word documents, either as e-mail attachments or opened through Web sites, that would use the Mail Merge function of Word to open an Access database owned by the malicious user and run code on the victim's computer. Data could be exposed or the malicious user could take over the computer altogether, according to Guninski.

The bug can be avoided if a user has implemented the Office Mail security update from three months ago or the Office Document Open Confirmation (ODOC) tool, both of which create a prompt before opening Word documents from Web sites.

The recent Outlook security update also addresses the issue, but that the best way to avoid the whole situation is to carefully consider any files you are asked to place on your computer, according to Scott Culp, product manager for Microsoft's security response team.

Copyright 2000 InfoWorld, International Data Group Inc. All rights reserved.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.