Another hole poked in
Communicator
By Alex Lash
July 25, 1997, 7:10 p.m. PT
Netscape Communications (NSCP) today
confirmed that another hole has been
punched in its Communicator browser, the
fourth one since the product shipped in June.
Discovered by Kuo Chiang of the Singapore's
Information Technology Institute, the security
flaw affects both Macintosh and Windows
versions of Communicator. It produces
identical results to two previous flaws related
to JavaScript, a scripting language Netscape
invented and uses in its browsers. It allows a
Web site administrator to place a
nearly-invisible applet on a user's hard drive
then track the user's progress across the
Web, including any data the surfer types into
the browser such as credit card numbers.
The company knew about the bug yesterday
and has already fixed it, according to senior
security product manager David Andrews. A
new version of Communicator will be
available in two weeks to coincide with a
scheduled software upgrade. Users will have
to download the entire suite to patch the
security flaw.
Despite having identical results to two
previous JavaScript holes, the latest bug is
due to the company's use of LiveConnect, a
separate language used to connect Java and
JavaScript, Andrews said.
"LiveConnect is the way Java and JavaScript
communicate with each other. It's exposing
information that it shouldn't be."
Not nearly as scrutinized as Java and ActiveX,
JavaScript and other scripting languages are
nonetheless used extensively to deliver
information to browsers. Andrews insisted
that the architecture of JavaScript and
LiveConnect are not problematic, but their
implementation in the browser software has
created security breaches.
Microsoft's browsers were also affected by
the previous JavaScript bugs. The company
released a patch for Internet Explorer 3.0
earlier this week. It is unclear if the latest bug
affects Explorer as well.
Another hole poked in
Communicator
By Alex Lash
July 25, 1997, 7:10 p.m. PT
Netscape Communications (NSCP) today
confirmed that another hole has been
punched in its Communicator browser, the
fourth one since the product shipped in June.
Discovered by Kuo Chiang of the Singapore's
Information Technology Institute, the security
flaw affects both Macintosh and Windows
versions of Communicator. It produces
identical results to two previous flaws related
to JavaScript, a scripting language Netscape
invented and uses in its browsers. It allows a
Web site administrator to place a
nearly-invisible applet on a user's hard drive
then track the user's progress across the
Web, including any data the surfer types into
the browser such as credit card numbers.
The company knew about the bug yesterday
and has already fixed it, according to senior
security product manager David Andrews. A
new version of Communicator will be
available in two weeks to coincide with a
scheduled software upgrade. Users will have
to download the entire suite to patch the
security flaw.
Despite having identical results to two
previous JavaScript holes, the latest bug is
due to the company's use of LiveConnect, a
separate language used to connect Java and
JavaScript, Andrews said.
"LiveConnect is the way Java and JavaScript
communicate with each other. It's exposing
information that it shouldn't be."
Not nearly as scrutinized as Java and ActiveX,
JavaScript and other scripting languages are
nonetheless used extensively to deliver
information to browsers. Andrews insisted
that the architecture of JavaScript and
LiveConnect are not problematic, but their
implementation in the browser software has
created security breaches.
Microsoft's browsers were also affected by
the previous JavaScript bugs. The company
released a patch for Internet Explorer 3.0
earlier this week. It is unclear if the latest bug
affects Explorer as well.
Another hole poked in
Communicator
By Alex Lash
July 25, 1997, 7:10 p.m. PT
Netscape Communications (NSCP) today
confirmed that another hole has been
punched in its Communicator browser, the
fourth one since the product shipped in June.
Discovered by Kuo Chiang of the Singapore's
Information Technology Institute, the security
flaw affects both Macintosh and Windows
versions of Communicator. It produces
identical results to two previous flaws related
to JavaScript, a scripting language Netscape
invented and uses in its browsers. It allows a
Web site administrator to place a
nearly-invisible applet on a user's hard drive
then track the user's progress across the
Web, including any data the surfer types into
the browser such as credit card numbers.
The company knew about the bug yesterday
and has already fixed it, according to senior
security product manager David Andrews. A
new version of Communicator will be
available in two weeks to coincide with a
scheduled software upgrade. Users will have
to download the entire suite to patch the
security flaw.
Despite having identical results to two
previous JavaScript holes, the latest bug is
due to the company's use of LiveConnect, a
separate language used to connect Java and
JavaScript, Andrews said.
"LiveConnect is the way Java and JavaScript
communicate with each other. It's exposing
information that it shouldn't be."
Not nearly as scrutinized as Java and ActiveX,
JavaScript and other scripting languages are
nonetheless used extensively to deliver
information to browsers. Andrews insisted
that the architecture of JavaScript and
LiveConnect are not problematic, but their
implementation in the browser software has
created security breaches.
Microsoft's browsers were also affected by
the previous JavaScript bugs. The company
released a patch for Internet Explorer 3.0
earlier this week. It is unclear if the latest bug
affects Explorer as well.