Netscape Fixes Communicator 4.5 Hole

Welcome Guest. | Log In| Register | Membership Benefits

July 17, 1998 (3:36 PM EDT)

By Malcolm Maclachlan,

A Java security flaw in Netscape's Internet browser may be just the reason users need to upgrade to the latest version.

Last week, researchers at Princeton University's Secure Internet Programming Group found a security flaw that can be used to exploit 4x versions of Netscape's browser. But they told Netscape (company profile) before the release of version 4.5, which went into beta on Thursday. The Princeton researchers later verified the flaw was fixed.

The security breach centers around the ClassLoader mechanism, which controls dynamic linking in Java. It's a common area for Java security holes, according to the Princeton group. Despite changes made in Java Development Kit 1.1 and in the beta version of JDK 1.2, hackers are able to write applets that override the mechanism.

But that can't happen unless the attacker is able to access a secondary flaw to get into a system. That flaw was found in 4.0 versions of Communicator by researcher Mark LaDue, and involved the security-manager features of the program.

If an attacker was able to penetrate the browser's security, according to the group, he or she could essentially take over a user's computer using an applet, and could steal or delete files and cause other damage.

Netscape officials have downplayed the danger, saying the security hole would have been very difficult for an attacker to find and exploit.

Netscape is not aware of any attacker having successfully exploited the flaw, said Eric Byunn, group product manager for Communicator.

"It's not trivial," he said. "You would have to be a very sophisticated Java programmer."

The flaw could still affect earlier versions of Communicator, Byunn said. Netscape will be issuing a fix for earlier versions within a few weeks.

The SIP group said the problem lay mostly with Java's architecture, adding that the language has been a frequent source of security problems. However, the group said it does not believe the flaw could be used to attack Microsoft and Sun Java implementations.

Netscape has been in contact for several months with the Princeton group, which has found numerous bugs in software from Netscape, Microsoft and other companies.

Netscape has no official position on the group's activities, Byunn said, or on the Digital Millenium Copyright Act, a House bill that would make some of the security probes conducted by the group illegal.