SafeWeb Addresses Vulnerability in Consumer Privacy Technology

• Previous message: David LeBlanc: "RE: Microsoft C++ feature against buffer overflows itself vulnerable"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

FOR IMMEDIATE RELEASE

SAFEWEB ADDRESSES VULNERABILITY IN CONSUMER PRIVACY TECHNOLOGY

Emeryville, CA -- February 13, 2002 -- SafeWeb, a leading provider of
Web-based security and privacy technologies, today announced that it will
address JavaScript security vulnerabilities in its licensed consumer privacy
technology that were highlighted in a recent a study. The company closed
down the free privacy service in November 2001 for financial reasons.

“We have a responsibility to promptly resolve bugs in our technology,” said
Jon Chun, CEO and president of SafeWeb. “Security is a process, and we
welcome this kind of in-depth critical review as an opportunity to improve
and lead in this area. We appreciate that David Martin of Boston University
and Andrew Schulman of the Privacy Foundation identified these issues and
alerted us to the problem.”

Though the company has not received any customer complaints on this problem,
and though it suspended the consumer privacy service last year, it has
decided to issue a patch as a precautionary measure.

SafeWeb has advised PrivaSec and other licensees of its consumer privacy
technology to the vulnerabilities raised in the study, and plans to deliver
the patch to PrivaSec and all other licensees within several days.

The vulnerabilities identified, which require the use of Web browser
scripting languages, would allow a malicious website operator to identify
attributes of SafeWeb users that were not intended to be disclosed. SafeWeb
users accessing reputable and trusted websites would not be affected.

SafeWeb is creating a software upgrade that gives users the option to
disable JavaScript when surfing the Web anonymously. This option will
eliminate the vulnerabilities described in the study.  By providing this as
an option, SafeWeb will allow users to choose between greater functionality
and this new level of security.

The JavaScript vulnerabilities raised in the paper do not affect SafeWeb's
enterprise remote access product, the Secure Extranet Appliance (SEA). In a
secure remote access deployment, users must authenticate themselves to
trusted systems in order to access resources within the company's intranet,
and therefore user anonymity is not an issue.

About SafeWeb, Inc.

Based in Emeryville, California, SafeWeb was founded in April 2000 to create
innovative security and privacy technologies that are effective, economical
and simple. Our mission with the Secure Extranet Appliance is to deliver
technology that drastically reduces the cost and complexity traditionally
involved in securing corporate network resources.

Since its inception, SafeWeb has built the world's largest online privacy
network and has established strategic partnerships to deliver customized
versions of its proven technology to high-profile U.S. intelligence and
communications agencies. SafeWeb has received numerous awards for its
technology, and has been recognized as a privacy and security expert before
the U.S. Congress and at industry conferences such as DEF CON. For more
information, please visit the company’s Website at http://www.safeweb.com.

# # #

For more information contact:

Sandra Song
Communications Director
SafeWeb, Inc.
(510) 601-8855 x108
sandraat_private

• Next message: IT Resource Center : "HP Secure OS Software for Linux security bulletins digest"
• Previous message: David LeBlanc: "RE: Microsoft C++ feature against buffer overflows itself vulnerable"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 14:50:13 PST