August 29, 1997 2:25 PM PDT
Netscape can't shake bug blues
- Related Stories
Netscape backtracks on Java flawAugust 12, 1997
IE flaw permits Java mischiefAugust 8, 1997
Final Netcaster needs Communicator upgradeAugust 4, 1997
IE 4.0 beta is risky businessJuly 22, 1997
Netscape fixes Communicator bugJuly 17, 1997
Bounty attracts bug bustersJune 13, 1997
A Microsoft representative said today the company began testing yesterday and has not yet found any problems with IE 3.x or 4.0. "We'll continue to keep monitoring and testing," the representative added.
Two of the problems are not really a threat to users, according to dos Santos, but the third creates the opportunity to swipe credit card numbers and other personal information from a browser.
To do so, a malicious Web designer must create a "tracker" applet that stays with a browser after the user has visited the page in question. The applet, most likely in the form of a second, invisible window, then swipes information from the larger window and sends it back to the malicious Web site.
This "tracker" problem was also at the core of previous bugs that both Netscape and dos Santos said were fixed with the 4.02 release. Dos Santos has not yet tested to see if the bugs affect Microsoft's Internet Explorer browser.
"The attack is the same, but it's a different variation [of the hole] that creates the same bad effect," dos Santos said.
Netscape has found a fix for all three bugs and will issue a patch next week. Users will not have to download the entire Communicator suite to receive the patch. Those who buy the retail version on CD-ROM will have to visit the Netscape Web site to download it, according to Communicator product manager Daniel Claussen.
Company representatives pointed to the popularity of the browser as one reason so many holes are being poked in the software. "This type of testing is something no other software has seen before," said Claussen, who pointed out that the company has not had to change the browser's security model.
The market "is too competitive, and [Microsoft and Netscape] have big pressure to release new versions," he added. "If it were an ideal or academic world, I would do a lot more testing for security problems."
Both companies have been criticized for relying on the public as de facto beta testers. Conceding the value of such anonymous testers, Netscape has a "Bugs Bounty" program that rewards bug finders with $1,000 and a T-shirt.