The Danish company that claims to have discovered the bug won't tell how it found it or how to test for it. And, so far, Netscape engineers have been unable to find the bug themselves.
"Nobody has been able to verify that the shipping version of Communicator is susceptible," said Jeff Treuhaft, Netscape's director of security. He said Danish security software company Cabocomm verified the bug with a beta version of Communicator.
Cabocomm was not available for comment.
The bug would be the first major security breach for Communicator, a new suite of groupware and Internet products that became available for public download this week. Netscape has encountered a series of security problems with its Web browser Navigator, as has arch rival Microsoft with its Internet Explorer.
First reported by CNNfn, the bug allegedly allows a Web site administrator to peruse files on the hard drive of a computer used by anyone entering that administrator's site with Netscape's Navigator browser, which ships as part of the Communicator suite. To do so, the Web administrator needs to know the exact path and name of the file.
Cabocomm, which said it contacted Netscape after discovering the hole, asked for money in return for the technical details. Netscape offers $1,000 and a T-shirt to anyone who reports a bug in their software. Netscape says Cabocomm insisted on more before it would hand over its proof.
"If we weren't willing to pay him more money, he said, he would disclose potential bugs to the news media during our developer conference," Treuhaft said. "We obviously didn't negotiate and treated the threats like he was making like a bomb scare."
CNNfn and PC Magazine helped Cabocomm test for the bug, but Netscape said neither publication will divulge the details because they signed "non-disclosure" agreements--that is, agreements to not pass on any information. Both publications, however, wrote stories reporting that the bug exists and that it poses a potentially serious security hazard.
Netscape is now working with what information it has, trying to determine if the bug exists in the shipping version of Communicator.