Netscape can't shake bug blues

Two weeks after issuing an updated browser that fixed a series of bugs, Netscape is once again fixing three problems in its just-released Navigator 4.02.

3 min read
Just two weeks after issuing an updated browser that fixed a series of bugs, Netscape Communications (NSCP) is once again breaking out the bug spray, this time to fix three problems in its just-released Navigator 4.02.

The company has already fought through two months of browser bug fixes after the June release of Navigator 4.0, part of the Communicator software suite. Most of the problems were related to JavaScript, Netscape's own programming language that is used to add functionality and deliver information to Web pages.

The most recent problems, also related to implementations of JavaScript, occur in the standalone browser, as well as the version in the Communicator 4.02 suite. They were discovered by Andre dos Santos, a University of California at Santa Barbara graduate student working on Net security issues.

A Microsoft representative said today the company began testing yesterday and has not yet found any problems with IE 3.x or 4.0. "We'll continue to keep monitoring and testing," the representative added.

Two of the problems are not really a threat to users, according to dos Santos, but the third creates the opportunity to swipe credit card numbers and other personal information from a browser.

To do so, a malicious Web designer must create a "tracker" applet that stays with a browser after the user has visited the page in question. The applet, most likely in the form of a second, invisible window, then swipes information from the larger window and sends it back to the malicious Web site.

This "tracker" problem was also at the core of previous bugs that both Netscape and dos Santos said were fixed with the 4.02 release. Dos Santos has not yet tested to see if the bugs affect Microsoft's Internet Explorer browser.

"The attack is the same, but it's a different variation [of the hole] that creates the same bad effect," dos Santos said.

Netscape has found a fix for all three bugs and will issue a patch next week. Users will not have to download the entire Communicator suite to receive the patch. Those who buy the retail version on CD-ROM will have to visit the Netscape Web site to download it, according to Communicator product manager Daniel Claussen.

Company representatives pointed to the popularity of the browser as one reason so many holes are being poked in the software. "This type of testing is something no other software has seen before," said Claussen, who pointed out that the company has not had to change the browser's security model.

Dos Santos agreed that the problem is not due to fundamental flaws in JavaScript or even Java. Instead, he said, Netscape has erred in the implementation of the programming languages. Still, the graduate student feels that both contestants in the browser battle aren't dedicating as much time as they should to product security.

The market "is too competitive, and [Microsoft and Netscape] have big pressure to release new versions," he added. "If it were an ideal or academic world, I would do a lot more testing for security problems."

Both companies have been criticized for relying on the public as de facto beta testers. Conceding the value of such anonymous testers, Netscape has a "Bugs Bounty" program that rewards bug finders with $1,000 and a T-shirt.

The standard encryption techniques used to scramble sensitive data, such as SSL (Secure Sockets Layer) and SHTTP, do not protect users against interlopers. The JavaScript hole allows sites to pull data directly out of a Web form on a browser before it is encrypted and sent across the Net.

Not nearly as scrutinized as Java and ActiveX, JavaScript and other scripting languages are nonetheless used extensively to deliver information to browsers.