Microsoft, Netscape squabble over browser scripting hole

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1005-200-1820959.html?tag=st.ne.1002.bgif.ni

By Paul Festa
Staff Writer, CNET News.com
May 5, 2000, 11:35 a.m. PT

Microsoft and Netscape Communications are pointing fingers at each
other over a browser-related security problem that neither company has
any intention of fixing.

In a security scenario that lets a hostile Web site pilfer private
information, including email passwords and some browsing history, both
Netscape and Microsoft play a role. An exploit would use privileges
granted by Microsoft's Internet Explorer browser to run a script
placed on the Web site visitor's computer by Netscape's Communicator.

"This is by-design behavior, not a security vulnerability," said Scott
Culp, security program manager with Microsoft's security response
center. IE "allows a Web site to run any script that it trusts,
including scripts placed on the (Web page visitor's) computer."

The security squabble comes as Microsoft faces renewed criticism of
its liberal scripting security restrictions, which some have blamed
for opening the door to the "I Love You" virus that struck computer
networks worldwide yesterday. That virus, written in Microsoft's
Visual Basic scripting language, targets the company's Outlook email
program and other applications.

The software giant denies that the ongoing security issues are a
result of problems with Visual Basic or its other scripting
technologies. In regard to the IE vulnerability, Culp said the blame
rested with Netscape for placing a script--written in JavaScript, in
this case--in a known location on the client machine.

"The real issue is the fact that Netscape's installation is putting
this script in a place that any Web site can find it," Culp said. "It
exposes some fairly powerful functionality."

IE's documented security model has permitted the running of such
client-side scripts since version 4, Culp said.

Web scripts are lines of code that let browsers execute actions
without a person's interaction. Common uses of scripts on the Web
include the launching of pop-up Windows or the running of tickers
across the screen.

Netscape rejected Culp's analysis of the browser problem.

"It is ridiculous for Microsoft to blame an exploit running through
their browser on code that's part of the Netscape installation on the
hard disk," said Eric Krock, Netscape's group product manager for
tools and components. "Netscape's users are not vulnerable to the same
problem because our security model prevents this kind of inappropriate
mixed execution of local code and hostile remote code."

The company called on Microsoft to take measures to protect people
against the browser vulnerability.

"Rather than trying to blame Netscape for an IE exploit, we hope
Microsoft will take full responsibility for the safety of its users
and the data and code on their hard disks and for advising them on how
to protect themselves from this exploit," Krock said.

Independent security analysts took Netscape's side in the
disagreement.

"While the exploit only works on users who use Netscape as their main
Web browser, the reason the exploit works is because of a hole in
Internet Explorer," said filtering activist and security enthusiast
Bennett Haselton, who posted a demonstration of an exploit. The
demonstration, as well as the exploit, works only for people browsing
with IE who have Netscape installed on their computers.

Security consultant Richard Smith added: "I reported this same bug to
Microsoft more than a year ago and got the same response. It is a bug
that Microsoft needs to fix. Netscape fixed it themselves a few years
back."

Smith said the next generation of Internet computing poses a similar
problem with IE and XML (Extensible Markup Language) files.

"An incoming email message or Web page can read and send off the
contents of XML files," Smith said. "It's no biggie right now, since
the use of XML is just beginning. However, down the road, this might
be a good way to steal private information kept by applications in XML
files."

Microsoft could not be reached for comment on Smith's analysis of IE
and XML.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".