FRAMINGHAM (08/08/2000) - A recently discovered flaw in Netscape Communications Corp.'s Internet browser software could let malicious hackers retrieve and view any directory or locally stored file on a victim's computer.
But corporations using basic security measures such as filtering software and properly configured firewalls should have at least some measure of protection against it, security analysts said.
The problem results when a certain function of Sun Microsystem Inc.'s Java core is combined with a vulnerability in Netscape's implementation of Java that allows applets to access local files, said David Endler, an analyst at iDefense Intelligence Services, an Internet security services firm in Fairfax, Va.
An attacker could exploit the hole by creating a malicious Web site that invisibly loads a Java applet on a visiting user's computer, according to an alert alert on the subject from iDefense.
The applet starts a Web server on the user's system that allows anyone to connect to it and view locally stored files and directories, the advisory added.
"In theory, you can make public entire directories of a victim's computer," Endler said. "It's sort of like a poor man's Napster," said Endler.
An exploit taking advantage of the flaw was posted last Friday by Daniel Brumleve, a programmer in Silicon Valley who discovered the flaw.
In examples posted on his Web site, Brumleve demonstrated how the vulnerability -- nicknamed "Brown Orifice" -- could be exploited to allow others to view and retrieve files without any warning.
In worst-case scenarios, attackers could use this method to steal passwords, user names and indeed the entire contents of files, said Chris Rouland, director of the X-Force team of security analysts at Internet Security Systems Inc. in Atlanta.
Last week's Brown Orifice exploit -- the code for which can be downloaded from Brumleve's site -- was a "proof-of-concept" code designed to show how "Netscape's Java engine violates Java's 'sandbox' rules," which prevent applets from touching the host system's operating system, Rouland said.
"I would certainly expect the code to be modified (by others) to make it much more malicious," he added.
But users will first need to voluntarily visit malicious Web sites -- or click on e-mailed links to a malicious site -- to be exposed to the vulnerability, said Andrew Weinstein, a spokesman for America Online Inc., which owns Netscape.
According to Weinstein, Netscape is working on a patch that will fix the hole, but he refused to speculate when that might become available.
Until then, users can protect themselves by disabling the Java functionality on their browsers, he said. This can be done by going to the Edit button, clicking on Preferences and choosing the Advanced option.