Bugtraq mailing list archives
Another hole poked in Communicator
From: aleph1 () DFW NET (Aleph One)
Date: Mon, 28 Jul 1997 11:22:33 -0500
http://www.news.com/News/Item/0.4.12840,00.html?latest Another hole poked in Communicator By Alex Lash July 25, 1997, 7:10 p.m. PT Netscape Communications (NSCP) today confirmed that another hole has been punched in its Communicator browser, the fourth one since the product shipped in June. Discovered by Kuo Chiang of the Singapore's Information Technology Institute, the security flaw affects both Macintosh and Windows versions of Communicator. It produces identical results to two previous flaws related to JavaScript, a scripting language Netscape invented and uses in its browsers. It allows a Web site administrator to place a nearly-invisible applet on a user's hard drive then track the user's progress across the Web, including any data the surfer types into the browser such as credit card numbers. The company knew about the bug yesterday and has already fixed it, according to senior security product manager David Andrews. A new version of Communicator will be available in two weeks to coincide with a scheduled software upgrade. Users will have to download the entire suite to patch the security flaw. Despite having identical results to two previous JavaScript holes, the latest bug is due to the company's use of LiveConnect, a separate language used to connect Java and JavaScript, Andrews said. "LiveConnect is the way Java and JavaScript communicate with each other. It's exposing information that it shouldn't be." Not nearly as scrutinized as Java and ActiveX, JavaScript and other scripting languages are nonetheless used extensively to deliver information to browsers. Andrews insisted that the architecture of JavaScript and LiveConnect are not problematic, but their implementation in the browser software has created security breaches. Microsoft's browsers were also affected by the previous JavaScript bugs. The company released a patch for Internet Explorer 3.0 earlier this week. It is unclear if the latest bug affects Explorer as well. Another hole poked in Communicator By Alex Lash July 25, 1997, 7:10 p.m. PT Netscape Communications (NSCP) today confirmed that another hole has been punched in its Communicator browser, the fourth one since the product shipped in June. Discovered by Kuo Chiang of the Singapore's Information Technology Institute, the security flaw affects both Macintosh and Windows versions of Communicator. It produces identical results to two previous flaws related to JavaScript, a scripting language Netscape invented and uses in its browsers. It allows a Web site administrator to place a nearly-invisible applet on a user's hard drive then track the user's progress across the Web, including any data the surfer types into the browser such as credit card numbers. The company knew about the bug yesterday and has already fixed it, according to senior security product manager David Andrews. A new version of Communicator will be available in two weeks to coincide with a scheduled software upgrade. Users will have to download the entire suite to patch the security flaw. Despite having identical results to two previous JavaScript holes, the latest bug is due to the company's use of LiveConnect, a separate language used to connect Java and JavaScript, Andrews said. "LiveConnect is the way Java and JavaScript communicate with each other. It's exposing information that it shouldn't be." Not nearly as scrutinized as Java and ActiveX, JavaScript and other scripting languages are nonetheless used extensively to deliver information to browsers. Andrews insisted that the architecture of JavaScript and LiveConnect are not problematic, but their implementation in the browser software has created security breaches. Microsoft's browsers were also affected by the previous JavaScript bugs. The company released a patch for Internet Explorer 3.0 earlier this week. It is unclear if the latest bug affects Explorer as well. Another hole poked in Communicator By Alex Lash July 25, 1997, 7:10 p.m. PT Netscape Communications (NSCP) today confirmed that another hole has been punched in its Communicator browser, the fourth one since the product shipped in June. Discovered by Kuo Chiang of the Singapore's Information Technology Institute, the security flaw affects both Macintosh and Windows versions of Communicator. It produces identical results to two previous flaws related to JavaScript, a scripting language Netscape invented and uses in its browsers. It allows a Web site administrator to place a nearly-invisible applet on a user's hard drive then track the user's progress across the Web, including any data the surfer types into the browser such as credit card numbers. The company knew about the bug yesterday and has already fixed it, according to senior security product manager David Andrews. A new version of Communicator will be available in two weeks to coincide with a scheduled software upgrade. Users will have to download the entire suite to patch the security flaw. Despite having identical results to two previous JavaScript holes, the latest bug is due to the company's use of LiveConnect, a separate language used to connect Java and JavaScript, Andrews said. "LiveConnect is the way Java and JavaScript communicate with each other. It's exposing information that it shouldn't be." Not nearly as scrutinized as Java and ActiveX, JavaScript and other scripting languages are nonetheless used extensively to deliver information to browsers. Andrews insisted that the architecture of JavaScript and LiveConnect are not problematic, but their implementation in the browser software has created security breaches. Microsoft's browsers were also affected by the previous JavaScript bugs. The company released a patch for Internet Explorer 3.0 earlier this week. It is unclear if the latest bug affects Explorer as well.
Current thread:
- Another hole poked in Communicator Aleph One (Jul 28)