Browsers face bug problems

Both Netscape and Microsoft are moving to shore up their browsers against thefts of users' private information.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
Both Netscape and Microsoft are moving to shore up their browsers against thefts of users' private information.

Netscape Communications said it would implement a new warning to users whenever they upload a file from their computer to a Web server.

The planned security feature comes in response to a forms exploit demonstrated by Web security enthusiast Bennett Haselton. Haselton's demo uploads the contents of the visitor's .ini file, but the trick could upload any Windows file as long as the Web site operator knows its exact name.

Microsoft's Windows operating system uses .ini files to store configuration information such as printer and font defaults used when a program intitializes, or starts up.

Haselton's exploit circumvents a browser security feature that requires users to type in the name of a file before a Web site can upload it. In other words, the client, not the server, has to specify what file is to be uploaded.

The demonstration asks users to type into a form the exact phrase "Verification: I am / we are Windows users / Windows buyers. License required." Within that phrase, in correct order, is the name of the file: "c:/windows/win.ini". Haselton's JavaScript merely filters out the extraneous characters (V, e, r, i, f, a, etc.), and the remaining characters spell the file name that the user has unwittingly typed.

Netscape will implement its file upload warning, probably a dialog box, in a future upgrade to Communicator 4.5. In the meantime, the company advises users to be wary of any site that asks them to type in an exact phrase, unless it is a user name or password that the user has selected.

Microsoft's browser problem may sound familiar to bug aficionados--it is the second clipboard vulnerability the company has grappled with in as many months. Discovered and demonstrated by Spanish bug hunter Juan Carlos Cuartango, the bug bears some resemblance to one that Microsoft fixed last month.

In that case, Microsoft's Internet Exporer browser, Version 4.x, had to be used on a computer with Microsoft's Office 97, Outlook 98, Project 98, or Visual Basic 5.0 installed on it, according to Cuartango. The problem made users' clipboards vulnerable to inspection by Web operators.

The clipboard holds text that users have most recently copied or cut, and highly sensitive information is not routinely stored there.

Cuartango, who reported the first clipboard problem, said he reported the second to Microsoft on February 10, that the company confirmed it, and that a patch will be available in the next IE 4 service pack. The new vulnerability works with IE 4 alone, and does not require the other programs to be installed.

Microsoft confirmed the problem, and said it was working on a fix. The company stressed that no customers had reported being affected by the issue, and said those concerned about it could disable scripting in IE's security zones.

Like the first clipboard problem, the new one concerns an Active X control. In this case, Cuartango's exploit can sneak around IE security rules that forbid access to the Windows clipboard unless the content on it originated from IE.