Forwarded From: shadowvrai@trust-me.com
Netscape faces another security hole
By Paul Festa
Staff Writer, CNET News.com
February 18, 1999, 12:20 p.m. PT
Fresh from a recent battle with frame spoofing, Netscape is facing a
similar security hole in its Communicator Web browser that permits window
spoofing.
Spoofing allows a malicious Web page author to present Web content under a
false designation. Communicator's frame- spoofing bug let Web authors
insert their own frame--a sort of window within a window--into the pages
of trusted third- party sites. Microsoft also grappled with frame-spoofing
issues last month.
With the window spoofing problem that Netscape acknowledged today, a Web
author can fill an entire window with his or her own content while
maintaining the address bar of the trusted site. The trick could be used
to fool visitors into handing over sensitive information, including user
names, passwords, and credit card numbers, though Netscape contended that
such an exploit would require extremely high-level JavaScripting skills.
As with frames, Microsoft dealt with a window-spoofing problem last month.
Communicator's window-spoofing bug permits an exploit in which a hyperlink
on the maliciously designed page first takes the user to the trusted site
and then executes a line of JavaScript code that substitutes the spoofed
window several seconds later. JavaScript is a scripting language developed
by Netscape for interactive Web documents such as pop-up windows and
forms. JavaScript is unrelated to the Java programming language, which was
developed by Sun Microsystems.
The current problem was discovered by Bulgarian bug hunter Georgi
Guninski, who posted a demonstration of the exploit to the Web. Netscape
noted that no users have reported falling victim to such an exploit and
that the company would fix the bug in a March release of the browser.
Nevertheless, Guninski will reap a $1,000 bug-hunting bounty from Netscape
for his discovery. Netscape praised his efforts, particularly what the
company termed his "groundbreaking" work with JavaScript.
"We've never seen this before," said John Gable, senior product manager on
the Communicator team. "He's a talented guy, one of the most creative
JavaScript developers we've ever seen."
Netscape's fix will prohibit the type of JavaScript-laced URL that
Guninski crafted. The bug affects Communicator 3.04, 4.06, 4.5 for Windows
95 and 4.08 for Windows NT, according to Guninski, who recommends
disabling JavaScript pending a fix.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:27:11 1999