[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape Bug :)))




At 10:47 PM 6/12/97 -0500, Igor Chudov wrote:
>
>William H. Geiger III wrote:
>> Seems that there is a bug in Netscape including the new Communicator that
>> will allow a web site to read *ANY* file on your computer. I repeate
>> *ANY*, yes Virginia, *ANY* file on your computer.
>> 
>> WebEx user and loving it. :)))))
>
>Do you know if the bug affects Unix versions? How about linux?
>
>And what is the exploit?


------------------------------------------------
Danish software firm finds flaw that could let sites see data stored on PCs 

                          From Correspondent Steve Young
                          June 12, 1997: 6:58 p.m. ET

                 NEW YORK (CNNfn) - A serious new flaw
                 that affects all versions of Netscape
                 Communications Corp.'s popular Navigator
                 Internet browser software -- including the final
                 test version of its Communicator Suite released
                 Wednesday -- has been uncovered by a Danish
                 software firm, CNNfn has learned. 

                 The bug was reported by Cabocomm, a
                 software company located about 100 miles west
                 of Copenhagen, Denmark. The bug makes it
                 possible for Web-site operators to read anything
                 stored on the hard drive of a PC logged on to
                 the Web site.

                 After the firm reported the bug to CNN
                 Financial News, CNNfn and PC Magazine
                 tested the bug by creating and storing a
                 document on a PC's hard drive in New York.
                 Seconds later, the Danish company read it. 

                 As further proof, CNNfn and PC Magazine
                 created another document which the Danish
                 company was also able to read.

                 Larry Seltzer, technical director of PC Labs,
                 was among those who helped verify the bug
                 report. He said it would take a somewhat savvy
                 computer user to exploit the bug.

                 "They have to be seeking information from your
                 system and they also have to know the file
                 name. It's not that hard for somebody who's
                 looking to make trouble, but they do have to be
                 looking for it," Seltzer said.

                 "It's serious in that it's in the [actual] browser
                 ...whereas previous bugs generally required the
                 user to have downloaded an additional product,"
                 Jim Wise, UNIX administrator for CNNfn, said.

                 CNNfn's test showed that Internet security
                 firewalls offer no protection from the bug.

                 Mike Homer, vice president of marketing for
                 Netscape, said the company takes this and all
                 bug reports seriously. 

                 The Danish company says the reward of $1,000
                 and a T-shirt is "insultingly low" considering the
                 extent to which the bug report is likely to worry
                 Netscape users.

                 Cabocomm said it would accept "reasonable
                 compensation" for the technical information -- or
                 they can send a Netscape representative to
                 Cabocomm and get it for free.

                 CNNfn, PC Magazine and the Danish company
                 will not release technical details on the bug until
                 Netscape has prepared a bug fix.

                 The reason CNNfn is not reporting the specifics
                 of the bug is to avoid anyone exploiting it.

                 Until the bug is fixed, confidential letters,
                 business spreadsheets -- everything on your PC
                 -- can potentially be pilfered.

                 The Danish company says it won't exploit the
                 bug, but has no idea if someone else has found
                 the same bug and is compromising a system's
                 integrity. 


                                                          













                                                          















*********************************************************
Lynne L. Harrison, Esq.       |    "The key to life:
Poughkeepsie, New York        |     - Get up;
[email protected]             |     - Survive;
http://www.dueprocess.com     |     - Go to bed."
************************************************************

DISCLAIMER:  I am not your attorney; you are not my client.
             Accordingly, the above is *NOT* legal advice.