Gifts Under $30 Gifts Under $50 iPhone Emergency SOS Saves Man MyHeritage 'Time Machine' Guardians of the Galaxy 3 Trailer White Bald Eagle Indiana Jones 5 Trailer Black Hole's 1,000 Trillion Suns
Want CNET to notify you of price drops and the latest stories?
No, thank you

Communicator subject to frame-spoofing

Microsoft isn't the only one with a frame spoofing problem.

Microsoft isn't the only one with a frame spoofing problem.

Netscape Communications today acknowledged that its Communicator Web browsing software was vulnerable to a frame-spoofing exploit. Vulnerable browsers let one Web site insert its own frames into a third-party site in the window of a surfer who visits both sites.

The trick poses risks to unsuspecting users who might forfeit credit card or other private information when visiting a trusted Web site. The exploit also can be implemented through email.

Microsoft last week posted a patch for its Internet Explorer browser to protect IE users from the exploit.

Browser maker Opera Software said it had long protected users against frame-spoofing. But today the company acknowledged minor problems with its frame implementation, and said it would be fixed in the next minor-point release of the browser, version 3.52, expected later this month.

The vulnerability was discovered and demonstrated by Canadian security site SecureXpert, a division of Canadian firm FSC Internet.

The problem with the Microsoft and Netscape browsers is that they allow the manipulation of frames across domains. With the new patch, IE restricts the writing of frames to a single domain. Opera's browser is even stricter, and for the past year has restricted frame-writing to pages originating from the same Web server.

Netscape said it had verified that Communicator was susceptible to the exploit, and that it was beginning to work on a solution.

While Opera Software has restricted frames since its year-old 3.21 version, the company recently noticed a JavaScript glitch that causes the browser to try to open up the bogus frame--but with the wrong address. That result thwarts the SecureXpert exploit, but Opera plans to fix the glitch so that the browser won't try to open the bogus frame at all.