New Communicator bug found

Netscape Communications Corp. on Friday was quickly stitching up a new patch for yet another security breach in its Communicator browser, this time in version 4.01a, which was released last week to plug a different security hole.

A computer user working at the Information Technology Institute in Singapore found the new bug and notified Netscape on Thursday, said David Andrews, senior security product manager.

What Kuo Chiang discovered was a hole in Netscape's implementation of "live connect," a language that helps the browser talk to Java applets loaded onto Web sites, said Andrews. The browser speaks JavaScript, a language invented by Netscape to seal together Web-based content in HTML and Java applets within the browser.

The result of the bug is the same as two other breaches discovered earlier this month by other sources. They all enable a malicious Webmaster to program a site so that it intercepts data a visitor enters on a Web site, such as a credit card number. The bugs allow the data to be plucked before it can be encrypted.

One of the previous bugs and the new one, however, are more invasive. They shadow Web surfers even after they leave the site.

As a result of the newest security hole in Communicator, the Bell Labs scientist that discovered one of the bugs in JavaScript earlier this month is undertaking a more intensive study of scripting languages.

"JavaScript may be in the browser, but it is a pretty powerful language," said Vinod Anupam. His study will not be limited to Netscape's implementation, however, but will focus on all versions of languages that are imbedded into browsers.

The new patch will be available within the next two to three weeks, Andrews said. Users may access the Help menu in Communicator and pluck the patch from the Security bar.

According to a technical director at ZDNet, Franco Ruggeri, Chiang's applet is tiny, one pixel by one pixel, and is saucily called "not" so the tool bar on the browser reports that "applet not running" when indeed it is. It then continues speaking to the browser as it continues on its way, recording URLs and information that users enter on many of the Web sites the users visit.

Andrews said Chiang is cooperating with the engineers at Netscape and his Web site, albeit an active one, is not malicious in its intent. And Chiang, who could not be reached for comment, did not make his code public.