Netscape mum on bug details
The company remains tight-lipped about the nature of the potentially serious security problem in its Web browser.
"We don't want to disclose a lot of the technical details until we have a fix available," said Netscape director of security Jeff Treuhaft.
Netscape said that the bug affects all of its browsers, such as the just-released Navigator 4.0 for Communicator, including versions for Windows 95, Windows NT, Windows 3.1, Macintosh, and Unix. Next week, the company will provide a fix for the Windows versions of Communicator, Netscape's Internet client suite.
The company has not yet shipped the Mac and Unix versions of Communicator but said the final versions due this month will include the fixes. The company said it would focus on older versions of its Web browsers after it completes the fix for Communicator.
The bug, which could allow a hacker to swipe data from users' computers over the Net, was discovered by Danish programmer Christian Orellana at a security firm called CaboComm. The circumstances of that discovery are highly controversial because Orellana insisted on a bigger reward than Netscape usually offers for bug reports. When Netscape refused to pay, Orellana wouldn't hand over the technical details that would help the company replicate the bug.
In an email response received earlier today, Orellana claimed that he went to CNN because Netscape was not giving adequate attention to the problem. (See related story)
"After being unable to reach Netscape at the appropriate level, CaboComm also contacted CNN, in order to inform the public about the possible intrusion of their privacy," wrote Orellana. "Netscape encouraged CaboComm to submit the bug via email under the terms of the Bugs Bounty program. CaboComm did not consider this an apropriate [sic] way to handle a major flaw in their product."
That left Netscape scrambling to pinpoint the cause of the problem on its own, said Netscape spokeswoman Andrea Cook.
"Netscape engineers have found and recreated the reported bug in Netscape Communicator and Navigator 2.0 and 3.0," said Cook. "We have created a fix and are taking it through extensive internal and external testing and will release the fix for Communicator next week."
The bug lets Web site administrators peruse files on the hard drive of anyone browsing their sites with Navigator. To access a file on the hard disk, however, Web administrators need to know the exact name and path of the file, a fact that limits the real-world danger of the bug.
The problem is not caused by Navigator's use of Java, although JavaScript could exacerbate the problem, Treuhaft said.
"There may be ways that JavaScript attempts to create symptoms of the particular problem, but it's not related to the core bug," Treuhaft said. "Turning off JavaScript does not solve the problem."
Netscape found the bug itself by analyzing a file from a computer belonging to PC Magazine, a publication that worked with Orellana to confirm the bug's existence. PC Magazine said it sent the "cache file" to Netscape. CNNfn also confirmed the bug.
Today's announcement leaves Orellana with no bargaining position, Netscape officials said.
But it doesn't dispel ethical questions about how the bug was discovered and reported.
Netscape's Bugs Bounty program offers $1,000 and a T-shirt to programmers who report new browser bugs to the company.
The programmer approached CNN early this week but the publication held the story until yesterday.
Steve Young, CNNfn technology correspondent and host of the cable channel's Digital Jam program, knew about the bug as early as Monday but didn't want to report the story until he saw a demonstration. In return for this first-hand demo, Young made a verbal agreement not to disclose certain technical information about the bug either to Netscape or to the public.
"There's more we know that we can't pass along to Netscape," Young told CNET's NEWS.COM from his New York office this morning, just before Netscape announced that it had recreated the bug. "Is this an ideal agreement? No. It's an agreement I would have preferred not to make, but we didn't want to report it without seeing the problem first-hand."
Young contacted PC Magazine yesterday for help in verifying the bug. PC Magazine agreed not to run its story until the story aired at 7 p.m. ET last night on CNN's Moneyline business report. PC Magazine did not sign a non-disclosure agreement, nor did it agree to withhold any information from Netscape, according to editor Jake Kirchner.
The magazine also didn't know about Orellana's request for money or CNNfn's agreement to withhold information. "All we knew is there was a problem and we were asked to verify it," said Kirchner. "As far as PC Magazine is concerned, I don't think there is an ethical problem."
But Kirchner is still concerned about the ethics of bug reporting in general.
"I think there are ethical questions here," said Kirchner. "If you're in the computer industry and you find a flaw in a [popular] software program, should you give the information to the company? We're using Navigator all the time; we have an interest in seeing it fixed."