A researcher at Bell Labs
and Netscape Communications
The hole could allow a malicious Web site to snatch private data that users enter into Web forms, such as passwords, credit card numbers, and Social Security numbers, even after leaving the malicious site. Users are vulnerable to the data theft whether a browser employs encryption technology or a user is behind a firewall, according to Vinod Anupam, the Bell Lab researcher. A site could also exploit the hole to monitor what Web sites a user visits.
Bell Labs discovered the glitch in late June and reported it to Netscape, Microsoft, and the Computer Emergency Response Team (CERT) at the end of the month. Yesterday, CERT, a team of security experts at Carnegie Mellon University, issued an advisory warning of the hole.
"To the best of our knowledge there hasn't been an exploit based on this," Anupam said. "However, the potential for misuse is very real."
That browser is then used to monitor which sites a user visits through his or her main browser. If, for example, the user purchased a book at Amazon.com using a credit card, the card number would be exposed to the malicious Web site.
Today, Netscape representatives said that they have already fixed the glitch in the 3.02 version of Navigator, posted earlier this week on its FTP site. Users of the company's new Communicator software can download a fix for that browser next week, said Dave Rothschild, Netscape's director of marketing for client applications.
Rothschild added that the problem affects browser on all the platforms its supports, including Windows, Mac, and Unix.
However, Kevin Unangst, a product manager at Microsoft, said that the company has found that the bug only affects the Windows 95 and NT versions of its browser. The company will issue a software patch next week to fix the hole in its existing browser and will include a fix in the next beta of Internet Explorer 4.0, due out later this month, he said.
One privacy expert, Dave Banisar, staff counsel at the Electronic Privacy Information Center, said that software companies can't rely on encryption as a safety net to protect data from theft.
"Encryption is only as good as the infrastructure it's implemented into," he said.