[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
WSJ on Netscape Hole 3
The Wall Street Journal, September 25, 1995, p. B12.
Netscape Software for Cruising Internet Is Found to Have
Another Security Flaw
By Jared Sandberg
Another security flaw that has long plagued the Internet
has been found in software by Netscape Communications Corp.
and others, raising concerns for the privacy and safety of
information on the global computer network.
The flaw in Netscape's popular Navigator software, which
helps users cruise the multimedia portion of the Internet
known as the World Wide Web, is the third defect in the
software discovered by the "Cypherpunks" discussion group
in little over a month. Members of the Cypherpunk group,
which includes mathematicians and hackers who discuss the
security method of cryptography, last month broke
Netscape's "key" that protects sensitive data by "brute
force" -- the use of massive computing power. Last week,
other members found a flaw that could let hackers
essentially pick the lock in Netscape's software.
Unlike the prior glitches, however, the latest flaw doesn't
lend itself to the theft of multiple credit-card numbers.
Instead, it could allow a savvy hacker to damage an
Internet user's computer, such as crashing the computer or
deleting files.
"This is just another indication that Netscape isn't being
careful," said William Cheswick, a security researcher at
AT&T Corp.'s Bell Laboratories.
Still, he said, the flaw goes well beyond Netscape. It
first reared its head seven years ago when Cornell graduate
student Robert Morris used it to create a "worm" that
crippled thousands of computers on the Internet. Last
February, the same kind of flaw was found in the popular
Mosaic program created by the University of Illinois. But
that strain of the flaw was more serious than its latest
appearance because it affected the computers that store
many users' credit-card numbers. Now experts are
discovering that the flaw shows up in other so-called Web
browsers such as Links and Arena.
"We're so glad that the network dog dances, we don't
realize that it's rabid," Mr. Cheswick said of the
programming quality of many software packages.
Marc Andreessen, vice president of technology at Netscape,
said the company will issue fixes for the recent glitches
later this week. He added that it's unclear whether
anything other than temporarily crashing a user's computer
could result trom the recent flaw. But, he said, once users
adopt the modified software, "this won't be around long
enough to cause a problem."
Some, however, worry that another variation of the flaw
will prove more difficult to cope with in the coming
months. Bruce Fancher, president of Phantom Access
Technologies Inc., operator of the Mindvox Internet access
service, said a variation of the security hole has been
found in several Unix software packages, which run on
thousands of Internet computers that contain user's
credit-card numbers and other personal information. It
could cause far more damage than the Netscape flaw, he
said. "This is going to be a big problem," warned Mr.
Fancher, adding that he's been told that hackers are
already devising software toolkits to exploit the hole.
"This flaw is an easy mistake to make, but it's also easy
to fix," he said.
The latest flaw came to light early Friday morning when a
reader of the Cypherpunk mailing list discovered the glitch
and posted a message to the Internet. Basically, the
software on an end-user's machine allows for commands that
are too long, letting an intruder tack on an extra line of
damaging code that could crash the computer. Instead, the
software should verify the length of the commands that
computers accept.
Security buffs concede that the recent round of security
glitches found in several pieces of software, including a
virus found in Microsoft Corp.'s Word program and security
problems at Amefica Online Inc., has shaken confidence in
electronic commerce. But they say the publicity brings to
light problems that will ultimately make software more
secure. Richard Lethin, a graduate student at
Massachusettes Institute of Technology who participates in
the Cypherpunk discussion, said: "This technology for
electronic commerce is ultimately going to be real
important, but there might be some hiccups at the start."
[End]