Netscape posts security fix

Netscape Communications has posted instructions to fix a minor security hole in its Communicator browser, offering a corresponding minor upgrade, and blaming the whole problem on Microsoft.

The two browser powers are at odds over who created a security hole that can apparently let hostile Web sites read the links in your bookmark file and possibly some HTML file attributes on a hard drive.

The problem apparently stems from JavaScript, a scripting language that lets Web authors create interactive Web sites and is supported by script from Microsoft's rival browser Internet Explorer. Some IE scripts are exposed in Communicator, a Microsoft official and an independent analyst confirm.

No incidents of a breach of the hole have been reported.

Netscape has posted an explanation and describes a procedure for Communicator users to close the security hole on its Web site (http://home.netscape.com/security/jscookie.html). The process involves changing Communicator's settings to edit the user profile, restrict cookies, or disable JavaScript altogether.

Also, Netscape encourages people to upgrade their browsers to Communicator 4.73, now available through SmartUpdate and on Netscape's site Microsoft's site does not appear to acknowledge or offer advice regarding the bug. And the rivals differ over who should repair the larger problem.

Rivals Point Fingers

Microsoft says it is up to Netscape to protect the privacy of the scripts in Communicator, no matter where they originated.

"The Microsoft Internet Explorer security model allows a Web site to run any script or program that it trusts," says Scott Culp, a Microsoft security program manager. "The real problem is Netscape Communicator taking a powerful script and putting it out on your computer in a locale where any Web site can find it out and run it."

Netscape places the blame for the security hole firmly at Microsoft's door.

"The problem is with Microsoft's Internet Explorer," says Eric Krock, a Netscape group manager for tools and components. "It's only the installation and use of Internet Explorer that leaves the user vulnerable."

One security analyst agrees and says Microsoft should fix the bug. "Microsoft built the architecture that made it [the hole] possible," says David Perry, a spokesperson for antivirus software vendor Trend Micro.

The updated Communicator 4.73 was unscheduled, because the company is preparing a major upgrade, Netscape 6. That version is now in beta testing and is expected to ship this summer.

Jack McCarthy of IDG News Service contributed to this report.

Join the newsletter!

Error: Please check your email address.

More about MicrosoftTrend Micro Australia

Show Comments

Market Place