Just two weeks after issuing an updated browser that fixed a series of bugs, Netscape Communications (NSCP)
is once again breaking out the bug spray, this time to fix three problems in its just-released Navigator 4.02.
A Microsoft representative said today the company began testing yesterday and has not yet found any problems with IE 3.x or 4.0. "We'll continue to keep monitoring and testing," the representative added.
Two of the problems are not really a threat to users, according to dos Santos, but the third creates the opportunity to swipe credit card numbers and other personal information from a browser.
To do so, a malicious Web designer must create a "tracker" applet that stays with a browser after the user has visited the page in question. The applet, most likely in the form of a second, invisible window, then swipes information from the larger window and sends it back to the malicious Web site.
This "tracker" problem was also at the core of previous bugs that both Netscape and dos Santos said were fixed with the 4.02 release. Dos Santos has not yet tested to see if the bugs affect Microsoft's Internet Explorer browser.
"The attack is the same, but it's a different variation [of the hole] that creates the same bad effect," dos Santos said.
Netscape has found a fix for all three bugs and will issue a patch next week. Users will not have to download the entire Communicator suite to receive the patch. Those who buy the retail version on CD-ROM will have to visit the Netscape Web site to download it, according to Communicator product manager Daniel Claussen.
Company representatives pointed to the popularity of the browser as one reason so many holes are being poked in the software. "This type of testing is something no other software has seen before," said Claussen, who pointed out that the company has not had to change the browser's security model.
The market "is too competitive, and [Microsoft and Netscape] have big pressure to release new versions," he added. "If it were an ideal or academic world, I would do a lot more testing for security problems."
Both companies have been criticized for relying on the public as de facto beta testers. Conceding the value of such anonymous testers, Netscape has a "Bugs Bounty" program that rewards bug finders with $1,000 and a T-shirt.