Developers: Bugs ahead

LOS ANGELES--The recent spurt of security bugs in Internet Explorer is merely a prelude to other holes that will affect software from Microsoft, Netscape Communications, and other companies that are rushing to release Internet products.

That's the prediction from developers at the Internet World trade show last week, and it already appears to be coming true. Last week, a programmer discovered a security hole in Macromedia's Shockwave plug-in that could allow a hacker to retrieve personal email from a user's computer. The problem affects users of Navigator, but not Internet Explorer, according to David de Vitry, the programmer who discovered the hole.

Still, even as more bugs continue to creep out of browsers, developers are comforted by the fact that the glitches are being discovered by responsible programmers and not unscrupulous hackers bent on mayhem--for now. The bugs discovered last week in Explorer were all found by university students who posted information on the Internet warning users of the potential security risks of the bugs.

"People are finding bugs so they're getting fixed faster," said Scott Barnett, a systems engineer at Java developer Novera.

"You can't be too cautious about security," said Rob Martell, director of product development at Digital Renaissance. "But I also think that any good programmer can find a hole with anything."

Programmers have done just that with the Shockwave security hole. According to a Web site posted by de Vitry, a malicious programmer could create a Shockwave movie that scans a user's emails and uploads them to a server. Shockwave is a plug-in for Navigator or Explorer that plays multimedia files created in Macromedia's Director authoring tool.

Norm Meyrowitz, chief technology officer at Macromedia, said the company is evaluating the release of a patch to Shockwave users. He also said that users of its new Shockwave 6.0 and Communicator are not affected.

Many developers believe that the hypercompetitive atmosphere in Internet software is increasingly leading companies to ship products before they are ready. At the same time, they seem willing to accept some security risks as the cost of rapid rollout of new technologies.

"If we slow down, maybe we would stop innovation," Novera's Barnett said.

Some developers welcome the intense scrutiny of Internet programmers, saying that it ultimately results in stronger products. "As a developer, there is no way that I can predict all bugs," said Ron Moritz, technical director of Finjan, which makes security products for Explorer and Navigator. "I rely on academia and Chaos Computer Club alike."