Forwarded From: shadowvrai@trust-me.com Netscape faces another security hole By Paul Festa Staff Writer, CNET News.com February 18, 1999, 12:20 p.m. PT Fresh from a recent battle with frame spoofing, Netscape is facing a similar security hole in its Communicator Web browser that permits window spoofing. Spoofing allows a malicious Web page author to present Web content under a false designation. Communicator's frame- spoofing bug let Web authors insert their own frame--a sort of window within a window--into the pages of trusted third- party sites. Microsoft also grappled with frame-spoofing issues last month. With the window spoofing problem that Netscape acknowledged today, a Web author can fill an entire window with his or her own content while maintaining the address bar of the trusted site. The trick could be used to fool visitors into handing over sensitive information, including user names, passwords, and credit card numbers, though Netscape contended that such an exploit would require extremely high-level JavaScripting skills. As with frames, Microsoft dealt with a window-spoofing problem last month. Communicator's window-spoofing bug permits an exploit in which a hyperlink on the maliciously designed page first takes the user to the trusted site and then executes a line of JavaScript code that substitutes the spoofed window several seconds later. JavaScript is a scripting language developed by Netscape for interactive Web documents such as pop-up windows and forms. JavaScript is unrelated to the Java programming language, which was developed by Sun Microsystems. The current problem was discovered by Bulgarian bug hunter Georgi Guninski, who posted a demonstration of the exploit to the Web. Netscape noted that no users have reported falling victim to such an exploit and that the company would fix the bug in a March release of the browser. Nevertheless, Guninski will reap a $1,000 bug-hunting bounty from Netscape for his discovery. Netscape praised his efforts, particularly what the company termed his "groundbreaking" work with JavaScript. "We've never seen this before," said John Gable, senior product manager on the Communicator team. "He's a talented guy, one of the most creative JavaScript developers we've ever seen." Netscape's fix will prohibit the type of JavaScript-laced URL that Guninski crafted. The bug affects Communicator 3.04, 4.06, 4.5 for Windows 95 and 4.08 for Windows NT, according to Guninski, who recommends disabling JavaScript pending a fix. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:37 PDT