Microsoft, Netscape squabble over browser scripting hole

Microsoft and Netscape Communications are pointing fingers at each other over a browser-related security problem that neither company has any intention of fixing.

In a security scenario that lets a hostile Web site pilfer private information, including email passwords and some browsing history, both Netscape and Microsoft play a role. An exploit would use privileges granted by Microsoft's Internet Explorer browser to run a script placed on the Web site visitor's computer by Netscape's Communicator.

"This is by-design behavior, not a security vulnerability," said Scott Culp, security program manager with Microsoft's security response center. IE "allows a Web site to run any script that it trusts, including scripts placed on the (Web page visitor's) computer."

The security squabble comes as Microsoft faces renewed criticism of its liberal scripting security restrictions, which some have blamed for opening the door to the "I Love You" virus that struck computer networks worldwide yesterday. That virus, written in Microsoft's Visual Basic scripting language, targets the company's Outlook email program and other applications.

The software giant denies that the ongoing security issues are a result of problems with Visual Basic or its other scripting technologies. In regard to the IE vulnerability, Culp said the blame rested with Netscape for placing a script--written in JavaScript, in this case--in a known location on the client machine.

"The real issue is the fact that Netscape's installation is putting this script in a place that any Web site can find it," Culp said. "It exposes some fairly powerful functionality."

IE's documented security model has permitted the running of such client-side scripts since version 4, Culp said.

Web scripts are lines of code that let browsers execute actions without a person's interaction. Common uses of scripts on the Web include the launching of pop-up Windows or the running of tickers across the screen.

Netscape rejected Culp's analysis of the browser problem.

"It is ridiculous for Microsoft to blame an exploit running through their browser on code that's part of the Netscape installation on the hard disk," said Eric Krock, Netscape's group product manager for tools and components. "Netscape's users are not vulnerable to the same problem because our security model prevents this kind of inappropriate mixed execution of local code and hostile remote code."

The company called on Microsoft to take measures to protect people against the browser vulnerability.

"Rather than trying to blame Netscape for an IE exploit, we hope Microsoft will take full responsibility for the safety of its users and the data and code on their hard disks and for advising them on how to protect themselves from this exploit," Krock said.

Independent security analysts took Netscape's side in the disagreement.

"While the exploit only works on users who use Netscape as their main Web browser, the reason the exploit works is because of a hole in Internet Explorer," said filtering activist and security enthusiast Bennett Haselton, who posted a demonstration of an exploit. The demonstration, as well as the exploit, works only for people browsing with IE who have Netscape installed on their computers.

Security consultant Richard Smith added: "I reported this same bug to Microsoft more than a year ago and got the same response. It is a bug that Microsoft needs to fix. Netscape fixed it themselves a few years back."

Smith said the next generation of Internet computing poses a similar problem with IE and XML (Extensible Markup Language) files.

"An incoming email message or Web page can read and send off the contents of XML files," Smith said. "It's no biggie right now, since the use of XML is just beginning. However, down the road, this might be a good way to steal private information kept by applications in XML files."

Microsoft could not be reached for comment on Smith's analysis of IE and XML.