Netscape preps patch for security hole

Netscape Communications will provide a software fix next week for a security flaw in its Netscape Navigator 2.0 browser that might let hackers get at server data, the company confirmed today.

The security flaw was reported this week by Edward Felten, an assistant professor of computer science at Princeton University. Felten discovered that, under certain circumstances, Java applets downloaded from the Web to a Navigator client could gain unauthorized access to other computers on the LAN, including servers.

Netscape acknowledged the security problem but said the hole could not be exploited by a virus to wipe out a hard drive or cause other havoc because of security constraints in the Java language.

Furthermore, an applet would be able to access files only if the Domain Name Server (DNS) from which the applet originated had been "spoofed," or impersonated, by a hacker, said Jeff Treuhaft, a product manager at Netscape. Though the practice of spoofing gained notoriety recently after the break-in to security expert Tsutomu Shimomura's computer and the subsequent capture and conviction of hacker Kevin Mitnick, it is a complex activity that the casual hacker is unlikely to attempt.

The Netscape security problem affects only those versions of Netscape Navigator 2.0 that run on Windows 95, Windows NT, and Unix because they include support for Java, Treuhaft said.

Officials at Sun Microsystems also plan to release a software patch for the security hole, but emphasized that the problem pertains to any kind of executable code that runs over the Internet, not to just Java code.

"[DNS] spoofing is a problem that precedes Java and has no direct correlation to Java applets," said Marianne Mueller, a Java security expert at Sun.