From: jya@pipeline.com (John Young)
Date: Sun, 19 May 1996 00:43:13 +0800
To: cypherpunks@toad.com
Subject: NYT on Netscape Flaw
Message-ID: <199605181156.LAA22255@pipe5.t2.usa.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   The New York Times, May 18, 1996, pp. 31, 43. 
 
 
   New Netscape Software Flaw Is Discovered 
 
   By John Markoff 
 
 
   Computer science researchers at Princeton University said 
   yesterday that they had discovered a new and potentially 
   serious flaw in the Netscape Communicatlons Corporation's 
   Navigator software, the leading program used to browse the 
   World Wide Web of the Internet. 
 
   The flaw, which was found in recent versions of the 
   Netscape software that support Sun Microsystems' Java 
   programming language, could allow people to write 
   destructive or malicious programs and potentially destroy 
   or steal data or otherwise tamper with a computer that was 
   connected to the Internet and used the Navigator program. 
 
   Netscape executives said that the researchers had been in 
   touch with them about the problem on Thursday and that the 
   software company was in the process of producing a new 
   version of the Navigator program that would protect against 
   potential attacks. 
 
   This is the third flaw in the Navigator program discovered 
   in recent months by the Princeton group. Netscape has been 
   under tremendous scrutiny over the security of its popular 
   software since the fall, when a group of researchers at the 
   University of California at Berkeley discovered a flaw in 
   the Netscape security system. 
 
   In the most recent case, Thomas Cargill, an independent 
   software consultant working with the Princeton group, 
   discovered a problem in the way Netscape has used the Java 
   language in its Navigator program. The group disclosed a 
   similar flaw in March in the Netscape Navigator that would 
   permit a Java program to run illicitly on a computer that 
   was running the Netscape program and perform damaging 
   operations. 
 
   "Netscape has fixed a series of problems, and the overall 
   security of their system has improved, but there is still 
   some reason for concern," said Prof. Edward Felton, the 
   leader of the Princeton group, which includes two graduate 
   students, Drew Dean and Dean Wallach. 
 
   Programs that are known as viruses and worms are a serious 
   threat to computer networks because they can move from 
   machine to machine quickly, carrying out destructive 
   applications. Sun Microsystems' Java language has been 
   designed to limit what a virus can do once it is 
   transferred across the Internet. But the security 
   mechanisms only work if the virus's code can be restricted 
   in a safety "box" constructed out of software. 
 
   Netscape's executives acknowledged yesterday that the 
   Princeton University team had on both occasions been able 
   to find doors that let program code out of the safety box. 
 
   "We're trying to create a sandbox which has rooms where 
   only certain things happen," said Jeff Trehaft, Netscape's 
   director of security. "What happened is that the Princeton 
   team found a door and it turned out that there weren't 
   adequate protections surrounding the door." 
 
   The company said it was in the process of posting on the 
   Internet a new version of the most recent test version of 
   its next-generation Internet program, version 3.0 beta. The 
   program contains a special fix to prevent the new attack. 
   He said Netscape had not yet posted a fix for the most 
   recent commercial release of its software, version 2.02, 
   but was instead encouraging customers to use the 3.0 beta 
   software. 
 
   Since the Berkeley researchers discovered the first 
   security flaw the company has offered a $1,000 "bugs 
   bounty" to programmers who are able to locate security 
   flaws. 
 
   [End]