Netscape Security Bug Still Exists in Version 2.01

The April-May issue of The DataBus reported the existence of a security hole in Beta and Released versions of Netscape Navigator version 2.0. The bug exists in the handling of the Java script management and allows information on the client's hard disk to be compromised.

In one instance, a 10-grade hacker wrote a script that could capture information from a hard disk and store it in "cookies" or file snippets that could be later retrieved remotely. The hacker discovered the breech during beta testing of Navigator version 2 and reported it to Netscape. Netscape reportedly fixed the bug in subsequent beta releases and again in the released version 2.0.

However, the Computer Reseller News of March 25, 1996 reports that Eric Perlman, the 10th grader, has created several "hacks" that get around the Netscape security holes supposedly fixed in version 2.01. Perlman has reproduced his "cookie" script that can send back information such as registration and credit card numbers. He has also stumbled across a bug that enabled him to access URLs behind an organization's firewall.

The report further states that the presence of the bug is a direct result of Netscape's haste to get the JavaScript processing "out the door" without undergoing rigorous testing that may have identified the security hole.

In order to avoid compromising information on your local computer, the Netscape Navigator version 2.0 web browser can be configured to bypass processing Java processing altogether. Select Options/Security Preferences and click the appropriate radio buttons to disable Java processing and scripts. This can be used as a stop-gap measure until Netscape releases another bug fix version.

For further information, visit the Netscape home page. Information about the security enhancements in Netscape Navigator 2.01 can be found on the Security Enhancements page at Netscape. Information about Java can be found at the Sun Microcsystems Java Web Site.


Return to CEDPA's Home Page

Last Updated: 03/29/96 ac