Netscape tests patches for security hole

The vulnerability lets a hostile Web site glean private information from a visitor, including but not limited to that visitor's bookmarks.

Netscape and the bug's discoverer agree that the problem isn't with any one aspect of Communicator, but with a combination of technologies that lets a malicious Web operator skirt browser security checks.

Those security checks normally prevent Web authors using JavaScript from transferring information from a frame with the Web surfer's liberal security clearance to another frame belonging to the hostile Web site.

JavaScript is a scripting language, designed by Netscape, that is used to prompt actions on a computer without a person's interaction. Frames are smaller windows within windows on Web sites.

Computer users can use frames or full windows to access local files on their computer, which is why windows opened from the local disk have those liberal security restrictions. Cross-frame security checks are designed to protect those windows from being hijacked by hostile Web sites.

But in an exploit demonstrated by bug hunter and anti-content-filtering activist Bennett Haselton, a Web author can insert JavaScript code through a cookie placed on a person's hard drive.

Cookies are text files that Web sites use to store information about a visitor for future reference. Applications that rely on cookies include Web-based email applications, which use the technology to track how long a visitor has been logged into an account, and shopping carts, which keep track of items a shopper has opted to buy.

Haselton said the exploit could be used to pilfer both bookmarks and cache information. The cache keeps copies of Web pages so that the browser does not have to make new queries to the same Web address to display repeatedly requested content.

"Getting 'read' access to the user's hard drive is the second-most-powerful exploit you can possibly launch," said Haselton, identifying the ability to execute code on a person's computer as the most powerful. "If I run the exploit on a specific person, I can determine what other sites they have visited."

Netscape, a unit of America Online, minimized the importance of the vulnerability, citing the necessary conditions--having the configuration set to "default" and the browser installed in its default location--and the fact that only links, such as those found in bookmark files, could be accessed using the exploit.

Netscape also disputed Haselton's claim that the hole exposed a user's cache files.

"To exploit this bug, the hostile Web site must know the name of the targeted HTML file," said Eric Krock, Netscape's group product manager for tools and components. "The names of the files in the cache are encrypted. Therefore, files in the cache cannot be accessed."

Netscape further downplayed the seriousness of the hole, pointing out that even vulnerable files were not fully readable through it.

"Even if you know the name of the file, you don't have access to all of its contents," Krock said. "You can't read its text--you can only read JavaScript data, such as links. So the claim that this grants general 'read' access to the user's hard drive is false."

Haselton and Netscape both pointed out that the exploit only works if the computer user has his or her profile name set to "default," which Haselton said was true for most people's configurations. Communicator profile names can be found at the following path on computers with the Windows operating system: C:\Program Files\Netscape\Users\.

Netscape said it was testing a pair of potential fixes to the problem, which it would add to an upcoming minor point release of Communicator 4.7. Netscape recommended that Web users concerned about the bug either turn off JavaScript, refuse to accept cookies, or choose to accept cookies only from trusted sources.

Microsoft is grappling with a similar cross-frame browser security problem.