[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NYT on Netscape Flaw
The New York Times, May 18, 1996, pp. 31, 43.
New Netscape Software Flaw Is Discovered
By John Markoff
Computer science researchers at Princeton University said
yesterday that they had discovered a new and potentially
serious flaw in the Netscape Communicatlons Corporation's
Navigator software, the leading program used to browse the
World Wide Web of the Internet.
The flaw, which was found in recent versions of the
Netscape software that support Sun Microsystems' Java
programming language, could allow people to write
destructive or malicious programs and potentially destroy
or steal data or otherwise tamper with a computer that was
connected to the Internet and used the Navigator program.
Netscape executives said that the researchers had been in
touch with them about the problem on Thursday and that the
software company was in the process of producing a new
version of the Navigator program that would protect against
potential attacks.
This is the third flaw in the Navigator program discovered
in recent months by the Princeton group. Netscape has been
under tremendous scrutiny over the security of its popular
software since the fall, when a group of researchers at the
University of California at Berkeley discovered a flaw in
the Netscape security system.
In the most recent case, Thomas Cargill, an independent
software consultant working with the Princeton group,
discovered a problem in the way Netscape has used the Java
language in its Navigator program. The group disclosed a
similar flaw in March in the Netscape Navigator that would
permit a Java program to run illicitly on a computer that
was running the Netscape program and perform damaging
operations.
"Netscape has fixed a series of problems, and the overall
security of their system has improved, but there is still
some reason for concern," said Prof. Edward Felton, the
leader of the Princeton group, which includes two graduate
students, Drew Dean and Dean Wallach.
Programs that are known as viruses and worms are a serious
threat to computer networks because they can move from
machine to machine quickly, carrying out destructive
applications. Sun Microsystems' Java language has been
designed to limit what a virus can do once it is
transferred across the Internet. But the security
mechanisms only work if the virus's code can be restricted
in a safety "box" constructed out of software.
Netscape's executives acknowledged yesterday that the
Princeton University team had on both occasions been able
to find doors that let program code out of the safety box.
"We're trying to create a sandbox which has rooms where
only certain things happen," said Jeff Trehaft, Netscape's
director of security. "What happened is that the Princeton
team found a door and it turned out that there weren't
adequate protections surrounding the door."
The company said it was in the process of posting on the
Internet a new version of the most recent test version of
its next-generation Internet program, version 3.0 beta. The
program contains a special fix to prevent the new attack.
He said Netscape had not yet posted a fix for the most
recent commercial release of its software, version 2.02,
but was instead encouraging customers to use the 3.0 beta
software.
Since the Berkeley researchers discovered the first
security flaw the company has offered a $1,000 "bugs
bounty" to programmers who are able to locate security
flaws.
[End]