Tuesday August 8, 2000
Netscape to Offer Patch to Shield Users From Glitch
By Reshma Kapadia

NEW YORK (Reuters) - Netscape Communications Corp., a unit of America Online Inc.(NYSE:AOL - news), plans to make a patch available so that users can protect themselves from a glitch found in Netscape's browser software that can be used to let hackers view or retrieve files on a computer or network.

Over the weekend, programmer Daniel Brumleve outlined on his Web site a security hole in Netscape's Java distribution, dubbing it Brown Orifice, that could allow access to local files after a user opens an e-mail or visits a Web site.

``It's very serious because it's very straightforward to exploit,'' said Chris Rouland, director of Internet Security Systems Inc.'s (NasdaqNM:ISSX - news) internal research and development Group, X-Force, of the Netscape glitch.

``If a hacker implants this malicious Java code on a site, it can infect users. It can read the entire file on a hard drive on the Internet, such as Quicken data, spreadsheets and passwords.''

Rouland said about 1,000 people had been affected by early Monday morning, according to his company's calculations.

``Netscape takes all security issues very seriously and we are working to quickly evaluate and address this concern,'' said Andrew Weinstein, an AOL spokesman. ``We plan to make a patch available in the near future but in the interim users can protect themselves by simply turning off Java.''

The patch is a software download that fixes bugs in software. The flaw is expected to be fixed in Netscape 6.0, a new version that the company is expected to release within the next few months.

AOL also cautioned its users to be careful when clicking on hyperlinks in e-mail and when going to sites they are not familiar with because they will only be vulnerable if they go to certain sites.

``When we saw the (Microsoft Corp. (NasdaqNM:MSFT - news)) Outlook viruses earlier this year, one strategy some users took was 'I'm switching platforms to Netscape.' It's indicative that switching vendors is not necessarily effective as a security measure,'' Rouland said.

This was the latest in a series of security glitches discovered recently in various companies' software, but Vincent Gulotto, of Network Associates Inc.'s (NasdaqNM:NETA - news) McAfee's Avert Lab, said the difference between this glitch and other recent incidents was that it was within Netscape and not Microsoft.

``There have been numerous proofs of concepts done with Internet Explorer and Outlook. I think the objective (of the finding) was to just show that all software has some possibility (for vulnerability) at some level. Some are not as easy to exploit as others,'' he said about the finding.

McAfee writes software, that among other things, protects computer systems from viruses and other security threats.

Brumleve could not be reached for comment on his finding.

Back To The Study