Information Security News mailing list archives
Netscape, Microsoft probe security flaws
From: InfoSec News <isn () C4I ORG>
Date: Fri, 11 Aug 2000 03:27:09 -0500
http://www.fcw.com/fcw/articles/2000/0807/web-netscpe-08-10-00.asp BY Stephanie Sanborn and Brian Fonseca, InfoWorld 08/10/2000 Security flaws have popped up involving the use of Java in Netscape Communications Corp.s Navigator browser, and Microsoft Corp. is investigating a Trojan-horse-style intrusion in Word documents. The Netscape bug, "Brown Orifice," lets an unsigned Java applet read and dispense files from a users computer. The issue can be prevented by disabling Java, but Sun Microsystems Inc. and Netscape are working on confirming and finding a solution for the bug. "The fact that the code is out there published means any script kiddie can copy this and plug it into a Web site infrastructure and compromise a site," said Chris Rouland, a director of the X-Force security group at Internet Security Systems, Atlanta. "We consider it a serious attack tool because the first day of any attack is information-stealing." Rouland said all versions of Netscape Navigator and Netscape Communicator versions 4.74 and earlier are defenseless when the Java applet is enabled. The flaw is not contained within Netscape 6.0, which Netscape plans to release later this year, according to Andrew Weinstein, a spokesman for America Online Inc., which owns Netscape. The company posted Netscape 6.0 Preview Release 2 as a free download on Tuesday. The beta release adds more customization, security and mail features. The Microsoft security problem, reported by bug-finder Georgi Guninski, involves Word documents, either as e-mail attachments or opened through Web sites, that would use the Mail Merge function of Word to open an Access database owned by the malicious user and run code on the victims computer. Data could be exposed or the malicious user could take over the computer altogether, according to Guninski. The bug can be avoided if a user has implemented the Office Mail security update from three months ago or the Office Document Open Confirmation (ODOC) tool, both of which create a prompt before opening Word documents from Web sites. The recent Outlook security update also addresses the issue, but that the best way to avoid the whole situation is to carefully consider any files you are asked to place on your computer, according to Scott Culp, product manager for Microsofts security response team. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Netscape, Microsoft probe security flaws InfoSec News (Aug 11)