WSJ on Netscape Hole 3

[John Young <jya@pipeline.com>]

   The Wall Street Journal, September 25, 1995, p. B12.

   Netscape Software for Cruising Internet Is Found to Have
   Another Security Flaw

   By Jared Sandberg


   Another security flaw that has long plagued the Internet
   has been found in software by Netscape Communications Corp.
   and others, raising concerns for the privacy and safety of
   information on the global computer network.

   The flaw in Netscape's popular Navigator software, which
   helps users cruise the multimedia portion of the Internet
   known as the World Wide Web, is the third defect in the
   software discovered by the "Cypherpunks" discussion group
   in little over a month. Members of the Cypherpunk group,
   which includes mathematicians and hackers who discuss the
   security method of cryptography, last month broke
   Netscape's "key" that protects sensitive data by "brute
   force" -- the use of massive computing power. Last week,
   other members found a flaw that could let hackers
   essentially pick the lock in Netscape's software.

   Unlike the prior glitches, however, the latest flaw doesn't
   lend itself to the theft of multiple credit-card numbers.
   Instead, it could allow a savvy hacker to damage an
   Internet user's computer, such as crashing the computer or
   deleting files.

   "This is just another indication that Netscape isn't being
   careful," said William Cheswick, a security researcher at
   AT&T Corp.'s Bell Laboratories.

   Still, he said, the flaw goes well beyond Netscape. It
   first reared its head seven years ago when Cornell graduate
   student Robert Morris used it to create a "worm" that
   crippled thousands of computers on the Internet. Last
   February, the same kind of flaw was found in the popular
   Mosaic program created by the University of Illinois. But
   that strain of the flaw was more serious than its latest
   appearance because it affected the computers that store
   many users' credit-card numbers. Now experts are
   discovering that the flaw shows up in other so-called Web
   browsers such as Links and Arena.

   "We're so glad that the network dog dances, we don't
   realize that it's rabid," Mr. Cheswick said of the
   programming quality of many software packages.

   Marc Andreessen, vice president of technology at Netscape,
   said the company will issue fixes for the recent glitches
   later this week. He added that it's unclear whether
   anything other than temporarily crashing a user's computer
   could result trom the recent flaw. But, he said, once users
   adopt the modified software, "this won't be around long
   enough to cause a problem."

   Some, however, worry that another variation of the flaw
   will prove more difficult to cope with in the coming
   months. Bruce Fancher, president of Phantom Access
   Technologies Inc., operator of the Mindvox Internet access
   service, said a variation of the security hole has been
   found in several Unix software packages, which run on
   thousands of Internet computers that contain user's
   credit-card numbers and other personal information. It
   could cause far more damage than the Netscape flaw, he
   said. "This is going to be a big problem," warned Mr.
   Fancher, adding that he's been told that hackers are
   already devising software toolkits to exploit the hole.
   "This flaw is an easy mistake to make, but it's also easy
   to fix," he said.

   The latest flaw came to light early Friday morning when a
   reader of the Cypherpunk mailing list discovered the glitch
   and posted a message to the Internet. Basically, the
   software on an end-user's machine allows for commands that
   are too long, letting an intruder tack on an extra line of
   damaging code that could crash the computer. Instead, the
   software should verify the length of the commands that
   computers accept.

   Security buffs concede that the recent round of security
   glitches found in several pieces of software, including a
   virus found in Microsoft Corp.'s Word program and security
   problems at Amefica Online Inc., has shaken confidence in
   electronic commerce. But they say the publicity brings to
   light problems that will ultimately make software more
   secure. Richard Lethin, a graduate student at
   Massachusettes Institute of Technology who participates in
   the Cypherpunk discussion, said: "This technology for
   electronic commerce is ultimately going to be real
   important, but there might be some hiccups at the start."

   [End]