"This is a privacy bug that lets a malicious Web site get the URLs that are contained in the current cache," said Netscape product manager Eric Byunn. "There is a privacy implication in that the site can find out what sites you've visited in the recent past."
Byunn said that, pending the arrival of a fix this week, Navigator users could protect themselves against the bug by setting their browser cache size, under "preferences," to zero. Netscape will post the fix to its Web site and also include it in the shipping version of Communicator 4.5, the company's Internet software suite that includes Navigator.
Byunn also acknowledged the possibility that the exploit could be carried out by sending Web-based email to a Navigator user, and that a similar exploit could expose information about recent Web searches the user carried out. But he said Netscape had only verified the bug as it affects surfing history of those visiting a hostile Web site.
The coming fix will cover all those potentialities, Byunn said.
"We're working on a fix that would prevent this kind of information from being transmitted to a Web site, particularly for this class of privacy bug," he said.
To gauge the seriousness of the threat to their own personal privacy, Navigator users can view the contents of their present cache by entering "about:cache" into their browser address bar. More information about surfing history can be found by entering "about:global."
Richard M. Smith, president of Phar Lap Software, said the security hole, first reported by the New York Times, not only could be exploited to expose searching history and executed via Web-based email, but also could reveal Web site passwords, depending on whether sites include those passwords in their URLs.
"I've tested it," Smith said. "It works."