April 21, 2000 3:00 PM PDT
Netscape tests patches for security hole
The vulnerability lets a hostile Web site glean private information from a visitor, including but not limited to that visitor's bookmarks.
Netscape and the bug's discoverer agree that the problem isn't with any one aspect of Communicator, but with a combination of technologies that lets a malicious Web operator skirt browser security checks.
Computer users can use frames or full windows to access local files on their computer, which is why windows opened from the local disk have those liberal security restrictions. Cross-frame security checks are designed to protect those windows from being hijacked by hostile Web sites.
Cookies are text files that Web sites use to store information about a visitor for future reference. Applications that rely on cookies include Web-based email applications, which use the technology to track how long a visitor has been logged into an account, and shopping carts, which keep track of items a shopper has opted to buy.
Haselton said the exploit could be used to pilfer both bookmarks and cache information. The cache keeps copies of Web pages so that the browser does not have to make new queries to the same Web address to display repeatedly requested content.
"Getting 'read' access to the user's hard drive is the second-most-powerful exploit you can possibly launch," said Haselton, identifying the ability to execute code on a person's computer as the most powerful. "If I run the exploit on a specific person, I can determine what other sites they have visited."
Netscape, a unit of America Online, minimized the importance of the vulnerability, citing the necessary conditions--having the configuration set to "default" and the browser installed in its default location--and the fact that only links, such as those found in bookmark files, could be accessed using the exploit.
Netscape also disputed Haselton's claim that the hole exposed a user's cache files.
"To exploit this bug, the hostile Web site must know the name of the targeted HTML file," said Eric Krock, Netscape's group product manager for tools and components. "The names of the files in the cache are encrypted. Therefore, files in the cache cannot be accessed."
Netscape further downplayed the seriousness of the hole, pointing out that even vulnerable files were not fully readable through it.
Haselton and Netscape both pointed out that the exploit only works if the computer user has his or her profile name set to "default," which Haselton said was true for most people's configurations. Communicator profile names can be found at the following path on computers with the Windows operating system: C:\Program Files\Netscape\Users\.
Microsoft is grappling with a similar cross-frame browser security problem.