[234] in Best-of-Security
BoS: netscape061297.htm
daemon@ATHENA.MIT.EDU (Peter Tonoli)
Sat Jun 14 09:01:35 1997
Date: Sat, 14 Jun 1997 18:53:38 +1000 (EST)
From: anarchie@heartland.suburbia.net (Peter Tonoli)
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
Get Another Line Online. Pacific Bell Network. Click Here.
_________________________________________________________________
[LINK]
Netscape target of blackmail
Danish consultant seeks cash for details on apparent bug in Web
software
Published: June 13, 1997
BY DAVID L. WILSON
Mercury News Staff Writer
[INLINE] An individual claiming to be a Danish computer consultant has
identified what appears to be a serious security problem in Netscape
Communications Corp.'s widely used Web-browsing software. But in an
apparent case of global high-tech blackmail, he is refusing to help
Netscape fix the flaw unless the company hands over far more than the
$1,000 bounty it typically pays people who find significant bugs, the
Mountain View-based company said.
The consultant, whose identity remains unknown, Thursday made good on
his threat to take the glitch public and embarrass Netscape during the
company's developers' conference in San Jose this week unless he was
paid. Netscape had refused to wire money to the Dane's overseas bank
account, as he had allegedly demanded earlier this week.
The flaw, which Netscape engineers have not yet studied, lets a
malevolent Web site designer build a Web page that is capable of
reading files stored on the hard drive of computer users who visit the
page using Netscape's browser software -- the most widely used in the
world.
In order to gain access to the user's material, the intruder must know
the name of the files, but files in many off-the-shelf programs can be
easily guessed by an outsider. For example, if electronic mail is
stored using some popular e-mail programs, the file names are often
the same on every user's personal computer.
Traditional methods of security, such as ``firewalls'' intended to
prevent break-ins to many corporate computer systems, offer no
protection from the reported bug.
Mike Homer, Netscape's senior vice president of marketing, said late
Thursday that the company is working on a repair but is progressing
slowly because its programmers don't exactly know what part of their
software code is flawed.
But the company will not bow to extortion, he said. ``We don't bargain
with terrorists. It would just encourage this type of behavior.''
Netscape has communicated with the consultant by e-mail but hasn't
confirmed the person's real name. Netscape officials have taken to
calling the Dane ``he'' even though gender and other identifying
characteristics are impossible to determine in cyberspace.
The defect was confirmed by PC Magazine at the request of CNNfn, an
offshoot of Cable News Network that focuses on financial news. The
consultant approached CNN with the information earlier this week.
It isn't clear which versions of Netscape's browser software are
affected by the problem, but PC Magazine confirmed through its own
testing with the Dane that it exists in version 3.01, which is
commonly referred to as ``Navigator.'' Navigator and other browsers
enable users to locate, read and download information stored on the
global Internet.
The Danish consultant claims the bug exists in all versions of the
software back to 2.0, and in Netscape's new 4.0 product introduced
this week, called ``Communicator.''
Engineers can often patch such security holes within hours after they
are shown how the flaw is exploited, but because Netscape's software
specialists haven't received detailed information about how the flaw
works, the detective work is somewhat slower than normal.
It's not exactly clear how the hole works, but a Netscape
representative confirmed that a Web page built using standard
techniques -- using the hypertext mark-up language, or HTML -- would
probably not be capable of reading a user's files, as described by PC
Week and CNNfn. Assuming that the description of the problem is
accurate, it is possible that the flaw is exploiting some
vulnerability in techniques used in Java or JavaScript. Java is a
programming language.
If that's true, users may be able to reduce their immediate risk by
turning off the browsing software's ability to interpret Java. In most
versions of the Netscape software, that can be done by clicking on the
``Options'' button, then choosing ``Network Preferences'' and finally,
``Languages.'' Removing the checkmarks from ``Enable Java'' and
``Enable JavaScript'' will disable both those functions. They can be
easily reactivated if the user needs them to get information from
certain Web sites. For example, animated stock tickers on a site might
be made possible by Java.
The Netscape problem is similar to a series of security flaws that
have plagued Microsoft Corp.'s competing browser, Internet Explorer.
A Netscape official said the company has not yet decided whether to
involve law enforcement. The company never received the Dane's bank
account number because it never agreed to pay the consultant. And the
consultant hadn't specified exactly how much money he wanted.
Extortion attempts have become increasingly common in cyberspace.
Blackmailers identify a bug, then threaten to distribute an automated
script that exploits the problem unless the manufacturer pays them.
Last year, one enterprising person regularly distributed a security
flaw each week on the Internet. Each distribution contained an
unsuccessful plea for a job from the company that manufactured the
products he was targeting.
[INLINE] [INLINE] Home
News Library
Index
Feedback
_________________________________________________________________
| Mercury Center Home | Index | Feedback |
)1996-7 Mercury Center. The information you receive on-line from
Mercury Center is protected by the copyright laws of the United
States. The copyright laws prohibit any copying, redistributing,
retransmitting, or repurposing of any copyright-protected material.
