graphic
News > Technology
Netscape bug uncovered
June 12, 1997: 6:58 p.m. ET

Danish software firm finds flaw that could let sites see data stored on PCs
From Correspondent Steve Young
graphic
graphic graphic
graphic
NEW YORK (CNNfn) - A serious new flaw that affects all versions of Netscape Communications Corp.'s popular Navigator Internet browser software -- including the final test version of its Communicator Suite released Wednesday -- has been uncovered by a Danish software firm, CNNfn has learned.

The bug was reported by Cabocomm, a software company located in the town of Aarhus, about 100 miles west of Copenhagen, Denmark. The bug makes it possible for Web-site operators to read anything stored on the hard drive of a PC logged on to the Web site.

After the firm reported the bug to CNN Financial News, CNNfn and PC Magazine tested the bug by creating and storing a document on a PC's hard drive in New York. Seconds later, the Danish company read it.

As further proof, CNNfn and PC Magazine created another document which the Danish company was also able to read.

Larry Seltzer, technical director of PC Labs, was among those who helped verify the bug report. He said it would take a somewhat savvy computer user to exploit the bug.

"They have to be seeking information from your system and they also have to know the file name. It's not that hard for somebody who's looking to make trouble, but they do have to be looking for it," Seltzer said.

"It's serious in that it's in the [actual] browser ...whereas previous bugs generally required the user to have downloaded an additional product," Jim Wise, UNIX administrator for CNNfn, said.

CNNfn's test showed that Internet security firewalls offer no protection from the bug.

Mike Homer, vice president of marketing for Netscape, said the company takes this and all bug reports seriously. (83K WAV) or (83K AIFF)

The Danish company says the reward of $1,000 and a T-shirt is "insultingly low" considering the extent to which the bug report is likely to worry Netscape users.

Cabocomm said it would accept "reasonable compensation" for the technical information -- or they can send a Netscape representative to Cabocomm and get it for free.

CNNfn, PC Magazine and the Danish company will not release technical details on the bug until Netscape has prepared a bug fix.

The reason CNNfn is not reporting the specifics of the bug is to avoid anyone exploiting it.

Until the bug is fixed, confidential letters, business spreadsheets -- everything on your PC -- can potentially be pilfered.

The Danish company says it won't exploit the bug, but has no idea if someone else has found the same bug and is compromising a system's integrity.Back to top


  RELATED STORIES

Netscape unveils Netcaster - April 15, 1997
  RELATED SITES

Netscape

CNN Plus Message Board to chat about the Netscape bug.

Note: Pages will open in a new browser window
External sites are not endorsed by CNNmoney




graphic

Contact Us Closed Captioning Manage Cookies+ Site Map

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.

Contact Us Closed Captioning Manage Cookies+ Site Map

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.