By Rachel Chalmers
The browser world is on the move with the announcement that the Netscape Communications subsidiary of America Online Inc has announced Communicator 4.7 – yet another revision of its flagship software not to be based on the ambitious Mozilla open source project. New in 4.7 are a Shop@Netscape button – part of AOL’s master plan to encourage its 46 million visitors to indulge in single-click impulse buying – and Netscape Radio, which rebroadcasts content from Spinner and supports Winamp 2.5 and Flash Player 4.0. Netscape Search and Internet Keywords have also received a wash and brush up – version 4.7 even boasts a brand- new keyword: shop. Type shop shoes into the location bar and the browser will whisk you to a footwear e-commerce destination. Finally, Communicator now includes AOL Instant Messenger 3.0 and the AIM news ticker. The software is available for free download from http://home.netscape.com.
Microsoft Corp trumped its ancient rival by releasing version 5.0 of Internet Explorer back in March 1999 (there’s still no sign of Communicator 5, the long-promised firstborn of the Mozilla codebase). But the Redmond software giant has been struggling with a rash of security flaws in its browser, a rash which shows no signs of clearing up just yet. Earlier this week Berkeley, California-based Bigfix.com alerted subscribers to a problem with IE 5’s download behavior, which lets web page authors download files to be used in client-side scripts. Web sites are only supposed to be able to download files that reside in their own domains. What Bigfix discovered was that a server-side redirect can bypass this restriction.
By exploiting this feature, the author of a malicious email or web site could in theory capture text files from a victim’s personal computer, even if that computer were sitting behind a firewall. IE 5’s download behavior can be automated, meaning victims wouldn’t even have to activate a link to be exposed to risk. Merely opening an email or visiting a web site could trigger the attack. The problem affects IE 5 on Windows 95, 98 and NT. Microsoft responded to the news by notifying customers that they could protect themselves by disabling Active Scripting in IE 5. A patch is also in the works: the company promises that this patch will restore safe operation to download behavior. Microsoft executives must fervently hope that this is the last of IE 5’s egregious security flaws, but that’s unlikely. A more interesting question is whether Netscape-AOL’s long-anticipated Mozilla-based browser will fulfill one of the promises of the open source development methodology by proving itself to be more secure.
