A computer user working at the Information Technology Institute in Singapore found the new bug and notified Netscape on Thursday, said David Andrews, senior security product manager.
The result of the bug is the same as two other breaches discovered earlier this month by other sources. They all enable a malicious Webmaster to program a site so that it intercepts data a visitor enters on a Web site, such as a credit card number. The bugs allow the data to be plucked before it can be encrypted.
One of the previous bugs and the new one, however, are more invasive. They shadow Web surfers even after they leave the site.
The new patch will be available within the next two to three weeks, Andrews said. Users may access the Help menu in Communicator and pluck the patch from the Security bar.
According to a technical director at ZDNet, Franco Ruggeri, Chiang's applet is tiny, one pixel by one pixel, and is saucily called "not" so the tool bar on the browser reports that "applet not running" when indeed it is. It then continues speaking to the browser as it continues on its way, recording URLs and information that users enter on many of the Web sites the users visit.
Andrews said Chiang is cooperating with the engineers at Netscape and his Web site, albeit an active one, is not malicious in its intent. And Chiang, who could not be reached for comment, did not make his code public.