|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Another hole poked in Communicator
Aleph One (aleph1
DFW.NET)Mon, 28 Jul 1997 11:22:33 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Alfred Huger: "New mailing list"
- Previous message: Jeff Uphoff: "Re: request-route"
http://www.news.com/News/Item/0.4.12840,00.html?latest Another hole poked in Communicator By Alex Lash July 25, 1997, 7:10 p.m. PT Netscape Communications (NSCP) today confirmed that another hole has been punched in its Communicator browser, the fourth one since the product shipped in June. Discovered by Kuo Chiang of the Singapore's Information Technology Institute, the security flaw affects both Macintosh and Windows versions of Communicator. It produces identical results to two previous flaws related to JavaScript, a scripting language Netscape invented and uses in its browsers. It allows a Web site administrator to place a nearly-invisible applet on a user's hard drive then track the user's progress across the Web, including any data the surfer types into the browser such as credit card numbers. The company knew about the bug yesterday and has already fixed it, according to senior security product manager David Andrews. A new version of Communicator will be available in two weeks to coincide with a scheduled software upgrade. Users will have to download the entire suite to patch the security flaw. Despite having identical results to two previous JavaScript holes, the latest bug is due to the company's use of LiveConnect, a separate language used to connect Java and JavaScript, Andrews said. "LiveConnect is the way Java and JavaScript communicate with each other. It's exposing information that it shouldn't be." Not nearly as scrutinized as Java and ActiveX, JavaScript and other scripting languages are nonetheless used extensively to deliver information to browsers. Andrews insisted that the architecture of JavaScript and LiveConnect are not problematic, but their implementation in the browser software has created security breaches. Microsoft's browsers were also affected by the previous JavaScript bugs. The company released a patch for Internet Explorer 3.0 earlier this week. It is unclear if the latest bug affects Explorer as well. Another hole poked in Communicator By Alex Lash July 25, 1997, 7:10 p.m. PT Netscape Communications (NSCP) today confirmed that another hole has been punched in its Communicator browser, the fourth one since the product shipped in June. Discovered by Kuo Chiang of the Singapore's Information Technology Institute, the security flaw affects both Macintosh and Windows versions of Communicator. It produces identical results to two previous flaws related to JavaScript, a scripting language Netscape invented and uses in its browsers. It allows a Web site administrator to place a nearly-invisible applet on a user's hard drive then track the user's progress across the Web, including any data the surfer types into the browser such as credit card numbers. The company knew about the bug yesterday and has already fixed it, according to senior security product manager David Andrews. A new version of Communicator will be available in two weeks to coincide with a scheduled software upgrade. Users will have to download the entire suite to patch the security flaw. Despite having identical results to two previous JavaScript holes, the latest bug is due to the company's use of LiveConnect, a separate language used to connect Java and JavaScript, Andrews said. "LiveConnect is the way Java and JavaScript communicate with each other. It's exposing information that it shouldn't be." Not nearly as scrutinized as Java and ActiveX, JavaScript and other scripting languages are nonetheless used extensively to deliver information to browsers. Andrews insisted that the architecture of JavaScript and LiveConnect are not problematic, but their implementation in the browser software has created security breaches. Microsoft's browsers were also affected by the previous JavaScript bugs. The company released a patch for Internet Explorer 3.0 earlier this week. It is unclear if the latest bug affects Explorer as well. Another hole poked in Communicator By Alex Lash July 25, 1997, 7:10 p.m. PT Netscape Communications (NSCP) today confirmed that another hole has been punched in its Communicator browser, the fourth one since the product shipped in June. Discovered by Kuo Chiang of the Singapore's Information Technology Institute, the security flaw affects both Macintosh and Windows versions of Communicator. It produces identical results to two previous flaws related to JavaScript, a scripting language Netscape invented and uses in its browsers. It allows a Web site administrator to place a nearly-invisible applet on a user's hard drive then track the user's progress across the Web, including any data the surfer types into the browser such as credit card numbers. The company knew about the bug yesterday and has already fixed it, according to senior security product manager David Andrews. A new version of Communicator will be available in two weeks to coincide with a scheduled software upgrade. Users will have to download the entire suite to patch the security flaw. Despite having identical results to two previous JavaScript holes, the latest bug is due to the company's use of LiveConnect, a separate language used to connect Java and JavaScript, Andrews said. "LiveConnect is the way Java and JavaScript communicate with each other. It's exposing information that it shouldn't be." Not nearly as scrutinized as Java and ActiveX, JavaScript and other scripting languages are nonetheless used extensively to deliver information to browsers. Andrews insisted that the architecture of JavaScript and LiveConnect are not problematic, but their implementation in the browser software has created security breaches. Microsoft's browsers were also affected by the previous JavaScript bugs. The company released a patch for Internet Explorer 3.0 earlier this week. It is unclear if the latest bug affects Explorer as well.
- Next message: Alfred Huger: "New mailing list"
- Previous message: Jeff Uphoff: "Re: request-route"