Netscape fixes latest bug

Yet another hole in Communicator is patched, the fourth one since the browser shipped last month.

2 min read
Netscape Communications (NSCP) has patched yet another hole in its Communicator browser, the fourth one since the product shipped last month.

The security flaw affects both Macintosh and Windows versions of Communicator, producing identical results to two previous flaws related to JavaScript, the scripting language that Netscape invented and uses in its browsers. Discovered by Kuo Chiang of the Singapore's Information Technology Institute, the bug allows a Web site administrator to place a nearly invisible applet on a user's hard drive and then track the user's progress across the Web, including any data the surfer types into the browser such as credit card numbers.

The company confirmed the bug Friday but said it knew about the bug Thursday, according to senior security product manager David Andrews. A new version of Communicator will be available in two weeks to coincide with a scheduled software upgrade. Users will have to download the entire suite to patch the security flaw.

One Internet software analyst said he isn't surprised by the number of bugs found in Communicator so far. "Given the development speeds of software, you're basically getting beta software from most companies," said Ira Machefsky of Giga Information Group.

Machefsky, however, said this type of security flaw could threaten e-commerce protocols such as SET (Secure Electronic Transactions). "If it can read any form data, it's even a potential threat to SET. [SET] might not be susceptible to this particular bug, but the protocol assumes that data on your system is safe" [before it's transmitted].

Despite having identical results to two previous JavaScript holes, the latest bug is due to the company's use of LiveConnect, a separate language used to connect Java and JavaScript, Andrews said.

"LiveConnect is the way Java and JavaScript communicate with each other," he said. "It's exposing information that it shouldn't be."

The bug does not affect Microsoft's browsers, according to IE 4.0 product manager Kevin Unangst. Last week, the company posted a new version of IE 3.0 that patched a previous JavaScript bug.

Not nearly as scrutinized as Java and ActiveX, JavaScript and other scripting languages are nonetheless used extensively to deliver information to browsers. Andrews insisted that the architecture of JavaScript and LiveConnect are not problematic, but their implementation in the browser software has created security breaches.