Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Netscape, Microsoft probe security flaws

From: InfoSec News <isn () C4I ORG>
Date: Fri, 11 Aug 2000 03:27:09 -0500
http://www.fcw.com/fcw/articles/2000/0807/web-netscpe-08-10-00.asp

BY Stephanie Sanborn and Brian Fonseca, InfoWorld
08/10/2000

Security flaws have popped up involving the use of Java in Netscape
Communications Corp.s Navigator browser, and Microsoft Corp. is
investigating a Trojan-horse-style intrusion in Word documents.

The Netscape bug, "Brown Orifice," lets an unsigned Java applet read
and dispense files from a users computer. The issue can be prevented
by disabling Java, but Sun Microsystems Inc. and Netscape are working
on confirming and finding a solution for the bug.

"The fact that the code is out there published means any script kiddie
can copy this and plug it into a Web site infrastructure and
compromise a site," said Chris Rouland, a director of the X-Force
security group at Internet Security Systems, Atlanta. "We consider it
a serious attack tool because the first day of any attack is
information-stealing."

Rouland said all versions of Netscape Navigator and Netscape
Communicator versions 4.74 and earlier are defenseless when the Java
applet is enabled.

The flaw is not contained within Netscape 6.0, which Netscape plans to
release later this year, according to Andrew Weinstein, a spokesman
for America Online Inc., which owns Netscape.

The company posted Netscape 6.0 Preview Release 2 as a free download
on Tuesday. The beta release adds more customization, security and
mail features.

The Microsoft security problem, reported by bug-finder Georgi
Guninski, involves Word documents, either as e-mail attachments or
opened through Web sites, that would use the Mail Merge function of
Word to open an Access database owned by the malicious user and run
code on the victims computer. Data could be exposed or the malicious
user could take over the computer altogether, according to Guninski.

The bug can be avoided if a user has implemented the Office Mail
security update from three months ago or the Office Document Open
Confirmation (ODOC) tool, both of which create a prompt before opening
Word documents from Web sites.

The recent Outlook security update also addresses the issue, but that
the best way to avoid the whole situation is to carefully consider any
files you are asked to place on your computer, according to Scott
Culp, product manager for Microsofts security response team.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: