1998-09-28 - IP: Potentially Big Security Flaw Found in Netscape Software

Header Data

From: Robert Hettinga <rah@shipwright.com>
To: cypherpunks@cyberpass.net
Message Hash: 6c533e56892950b3743707eac21b9292993b94c2af8a0a6840e27912c9c6d1a4
Message ID: <v0401171ab23569cc31fd@[139.167.130.246]>
Reply To: N/A
UTC Datetime: 1998-09-28 03:28:27 UTC
Raw Date: Mon, 28 Sep 1998 11:28:27 +0800

Raw message

From: Robert Hettinga <rah@shipwright.com>
Date: Mon, 28 Sep 1998 11:28:27 +0800
To: cypherpunks@cyberpass.net
Subject: IP: Potentially Big Security Flaw Found in Netscape Software
Message-ID: <v0401171ab23569cc31fd@[139.167.130.246]>
MIME-Version: 1.0
Content-Type: text/plain




--- begin forwarded text


Delivered-To: ignition-point@majordomo.pobox.com
X-Sender: believer@telepath.com
Date: Mon, 28 Sep 1998 11:24:13 -0500
To: believer@telepath.com
From: believer@telepath.com
Subject: IP: Potentially Big Security Flaw Found in Netscape Software
Mime-Version: 1.0
Sender: owner-ignition-point@majordomo.pobox.com
Precedence: list
Reply-To: believer@telepath.com

Source:  New York Times
http://www.nytimes.com/library/tech/yr/mo/biztech/articles/28java.html

September 28, 1998

Potentially Big Security Flaw Found in Netscape Software

By JOHN MARKOFF

SAN FRANCISCO -- A potentially serious security flaw has been
discovered in the programming language used in the Navigator and
Communicator software of the Netscape Communications Corp., with
the defect possibly allowing an outsider to read information on a personal
computer user's hard disk.

The weakness, which was disclosed in Usenet online discussion groups
on Friday by Dan Brumleve, a 20-year-old independent computer
consultant in Sunnyvale, Calif., can be exploited by the Javascript
programming language, which is widely used by World Wide Web page
developers for a variety of common tasks.

Brumleve said that he had tested the attack on a
range of Navigator and Communicator
programs, up through the most recent test
version of Communicator, 4.5, and found the
flaw in all of them. The vulnerability does not affect the Microsoft
Explorer browser and e-mail program, Brumleve said.

He was able to take advantage of the vulnerability by writing a 30-line
piece of Javascript code that is able to capture and copy information
automatically from the so-called cache, or temporary storage area, on a
PC's hard disk. The captured information can reveal which Web sites a
computer user has recently visited.

The captured information could also include data that a computer user
might have created when communicating with a Web site -- including
personal data typed in when registering at a site or conducting a retail
transaction. Credit card information, however, would not be revealed,
because it is protected by separate security software.

"It concerns me, because it means that a high-traffic Web site might use
this to find out what other Web sites their visitors are going to," Brumleve
said in a telephone interview Sunday. He said that the flaw could also be
used by an employer to see if employees were searching for
pornography, for example.

Although there is no evidence that the security flaw has actually been
exploited by someone with harmful intent, the gravity of the threat was
noted by other computer security specialists. They noted that a user's
vulnerability extends beyond visiting a hostile Web site that might exploit
the flaw. The flaw could also be exploited through e-mail received using
Netscape's software, they said, by sending an intended victim an e-mail
message that would secretly force the user to run an illicit Javascript
program.

"This is pretty scary," said Richard M. Smith, president of Phar Lap
Software Inc., a software development company in Cambridge, Mass.
"In some sense the cache on your computer tells a lot about your life."

Privacy of personal information on the Internet has become an
increasingly sensitive issue in recent years as many Web sites have begun
systematically collecting demographic information on Internet users. But
this newly discovered flaw could enable an unscrupulous person or
organization to basically read a person's full Web history.

"This is a huge privacy issue and it goes directly to the current lack of
adequate technical standards to protect privacy on line," said Marc
Rotenberg, director of the Electronic Privacy Information Center, a
public policy group in Washington. "There's even a question of a
company like Netscape might be liable for the improper disclosure of
private information."

Netscape said Sunday that it was still assessing the problem.

"We're taking a look at the bug, which appears to have privacy
implications," said Eric Byunn, a Netscape product manager. He said that
the company would make an announcement soon about its plans for
responding to the flaw.

 Copyright 1998 The New York Times Company
-----------------------
NOTE: In accordance with Title 17 U.S.C. section 107, this material is
distributed without profit or payment to those who have expressed a prior
interest in receiving this information for non-profit research and
educational purposes only. For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
-----------------------




**********************************************
To subscribe or unsubscribe, email:
     majordomo@majordomo.pobox.com
with the message:
     (un)subscribe ignition-point email@address
**********************************************
www.telepath.com/believer
**********************************************

--- end forwarded text


-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





Thread