from Multimedia Futures, a sister publication
The latest version of Netscape Communications Corp’s Navigator webbrowser was still not available as we went to press late Monday, even though Netscape officials said last week it would be on its Web site by last Friday (CI 2866). Navigator users can already download a patch, but this can only offset one of the recently-discovered bugs. Whenever the new version does make it, upgrade to version 2.01 immediately. If it hasn’t soon, then seriously consider using another browser. Security flaws in JavaScript let rogue Web authors retrieve directory listings of visitor’s hard disks; invisibly track the URLs of Web pages they are visiting and grab the content’s of the users’ Netscape disk cache and ‘recently visited’ lists. Netscape has known about all of the problems since February 23rd but apparently decided to leave the vast bulk of its users uninformed that snooping of their disk and browsing activities was possible. It’s knowledge of some security problems with JavaScript goes back to January. No announcement was made on the company’s home page, in the many newsgroups discussing the security implications, or elsewhere on its site, though Netscape product manager Jeff Treuhaft says the company has been in touch with the technical community via various Internet-based fora. Unlike previous security flaws in Navigator, which needed particular stealth and knowledge of bugs to be exploited, those in Navigator 2.0 can be employed by anyone with a good knowledge of Netscape’s JavaScript programming language. JavaScript, previously called LiveScript by Netscape, is completely distinct from the better known Java. Whereas Java Applets are pre-compiled and downloaded for execution, JavaScript programs are embedded in HTML code and interpreted by the browser on the fly. Netscape designed JavaScript as a tool for letting authors write intelligent Web pages. It is simpler to write than Java, but still powerful, as it turns out, too powerful for security-conscious users. Moreover until the new version 2.01, it has been impossible to disable JavaScript within the browser. Even if Java is turned off, JavaScript programs will execute. JavaScript is present in Windows 3.x versions of Navigator which lack Java functionality. The security flaws were discovered separately by John Robert LoVerso of the OSF Research Institute and John Tennyson. Both men have reportedly won a $1,000 bug bounty for their work from the company. Tennyson originally found a bunch of security bugs in a Navigator beta back in January. Netscape promised a work-around, but LoVerso then showed that the ability to browse directories is still present in the release version of Navigator. On February 23rd a further article by LoVerso in the comp.risks newsgroup showed it was possible to use JavaScript to track the sites a user was visiting in real time without the user’s knowledge. In his posting he warns: As it stands, JavaScript adds a viral element to HTML. The duo’s work can be found at http://www.c2.org/~aelana/javascript.html or alternatively at the Open Software Foundation site at http://www.osf.org/~loverso/javascript/track-me.html.
