Home page logo
/

bugtraq logo Bugtraq mailing list archives

Another hole poked in Communicator
From: aleph1 () DFW NET (Aleph One)
Date: Mon, 28 Jul 1997 11:22:33 -0500


http://www.news.com/News/Item/0.4.12840,00.html?latest

                Another hole poked in
                Communicator
                By Alex Lash
                July 25, 1997, 7:10 p.m. PT

                Netscape Communications (NSCP) today
                confirmed that another hole has been
                punched in its Communicator browser, the
                fourth one since the product shipped in June.

                Discovered by Kuo Chiang of the Singapore's
                Information Technology Institute, the security
                flaw affects both Macintosh and Windows
                versions of Communicator. It produces
                identical results to two previous flaws related
                to JavaScript, a scripting language Netscape
                invented and uses in its browsers. It allows a
                Web site administrator to place a
                nearly-invisible applet on a user's hard drive
                then track the user's progress across the
                Web, including any data the surfer types into
                the browser such as credit card numbers.

                The company knew about the bug yesterday
                and has already fixed it, according to senior
                security product manager David Andrews. A
                new version of Communicator will be
                available in two weeks to coincide with a
                scheduled software upgrade. Users will have
                to download the entire suite to patch the
                security flaw.

                Despite having identical results to two
                previous JavaScript holes, the latest bug is
                due to the company's use of LiveConnect, a
                separate language used to connect Java and
                JavaScript, Andrews said.

                "LiveConnect is the way Java and JavaScript
                communicate with each other. It's exposing
                information that it shouldn't be."

                Not nearly as scrutinized as Java and ActiveX,
                JavaScript and other scripting languages are
                nonetheless used extensively to deliver
                information to browsers. Andrews insisted
                that the architecture of JavaScript and
                LiveConnect are not problematic, but their
                implementation in the browser software has
                created security breaches.

                Microsoft's browsers were also affected by
                the previous JavaScript bugs. The company
                released a patch for Internet Explorer 3.0
                earlier this week. It is unclear if the latest bug
                affects Explorer as well.
                Another hole poked in
                Communicator
                By Alex Lash
                July 25, 1997, 7:10 p.m. PT

                Netscape Communications (NSCP) today
                confirmed that another hole has been
                punched in its Communicator browser, the
                fourth one since the product shipped in June.

                Discovered by Kuo Chiang of the Singapore's
                Information Technology Institute, the security
                flaw affects both Macintosh and Windows
                versions of Communicator. It produces
                identical results to two previous flaws related
                to JavaScript, a scripting language Netscape
                invented and uses in its browsers. It allows a
                Web site administrator to place a
                nearly-invisible applet on a user's hard drive
                then track the user's progress across the
                Web, including any data the surfer types into
                the browser such as credit card numbers.

                The company knew about the bug yesterday
                and has already fixed it, according to senior
                security product manager David Andrews. A
                new version of Communicator will be
                available in two weeks to coincide with a
                scheduled software upgrade. Users will have
                to download the entire suite to patch the
                security flaw.

                Despite having identical results to two
                previous JavaScript holes, the latest bug is
                due to the company's use of LiveConnect, a
                separate language used to connect Java and
                JavaScript, Andrews said.

                "LiveConnect is the way Java and JavaScript
                communicate with each other. It's exposing
                information that it shouldn't be."

                Not nearly as scrutinized as Java and ActiveX,
                JavaScript and other scripting languages are
                nonetheless used extensively to deliver
                information to browsers. Andrews insisted
                that the architecture of JavaScript and
                LiveConnect are not problematic, but their
                implementation in the browser software has
                created security breaches.

                Microsoft's browsers were also affected by
                the previous JavaScript bugs. The company
                released a patch for Internet Explorer 3.0
                earlier this week. It is unclear if the latest bug
                affects Explorer as well.
                Another hole poked in
                Communicator
                By Alex Lash
                July 25, 1997, 7:10 p.m. PT

                Netscape Communications (NSCP) today
                confirmed that another hole has been
                punched in its Communicator browser, the
                fourth one since the product shipped in June.

                Discovered by Kuo Chiang of the Singapore's
                Information Technology Institute, the security
                flaw affects both Macintosh and Windows
                versions of Communicator. It produces
                identical results to two previous flaws related
                to JavaScript, a scripting language Netscape
                invented and uses in its browsers. It allows a
                Web site administrator to place a
                nearly-invisible applet on a user's hard drive
                then track the user's progress across the
                Web, including any data the surfer types into
                the browser such as credit card numbers.

                The company knew about the bug yesterday
                and has already fixed it, according to senior
                security product manager David Andrews. A
                new version of Communicator will be
                available in two weeks to coincide with a
                scheduled software upgrade. Users will have
                to download the entire suite to patch the
                security flaw.

                Despite having identical results to two
                previous JavaScript holes, the latest bug is
                due to the company's use of LiveConnect, a
                separate language used to connect Java and
                JavaScript, Andrews said.

                "LiveConnect is the way Java and JavaScript
                communicate with each other. It's exposing
                information that it shouldn't be."

                Not nearly as scrutinized as Java and ActiveX,
                JavaScript and other scripting languages are
                nonetheless used extensively to deliver
                information to browsers. Andrews insisted
                that the architecture of JavaScript and
                LiveConnect are not problematic, but their
                implementation in the browser software has
                created security breaches.

                Microsoft's browsers were also affected by
                the previous JavaScript bugs. The company
                released a patch for Internet Explorer 3.0
                earlier this week. It is unclear if the latest bug
                affects Explorer as well.



  By Date           By Thread  

Current thread:
  • Another hole poked in Communicator Aleph One (Jul 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]