AOL says Netscape upgrade plugs security hole

The Computer Emergency Response Team (CERT) warned that AOL's Communicator browser was putting sensitive information at risk because of the way it was handling a key security protocol.

The problem in previous iterations of Communicator is with its implementation of Secure Sockets Layer (SSL), a standard for securing the transfer of sensitive information such as credit card numbers over the Net. The use of SSL is widespread in e-commerce transactions.

"Attackers can trick users into disclosing information (potentially including credit card numbers, personal data or other sensitive information) for a legitimate Web site, even if that Web site uses SSL to authenticate and secure transactions," CERT warned in its advisory.

AOL's Netscape unit responded that its most recent minor-point release of Communicator, version 4.7.3, addressed the problem raised in the CERT advisory.

Netscape said the hole was patched both in the Personal Security Manager (PSM) for Netscape Communicator and in Communicator 4.7.3.

CERT credited the ACROS Security Team of Slovenia for discovering the bug.

In its report on the bug, ACROS said the problem was that Communicator was failing to give warnings when presented with bogus SSL certificates. With SSL, a server presents the browser with a certificate establishing its identity. If the certificate is deemed trustworthy, the browser will establish the SSL session; if not, it will issue a warning.

With Communicator versions prior to 4.7.3, the browser will keep the SSL session alive while the browser is communicating with a server of the same Internet Protocol (IP) address.

The trouble is that through a sleight of hand described by ACROS, more than one Web destination can be associated with a single IP address.

"Since more than one hostname can have the same IP address, there is a great potential for security breach," ACROS wrote in its report. "This behavior is not in compliance with SSL specification."