The man who discovered a vulnerability in Netscape's Navigator browser wasted no time in finding a similar problem in the latest version of Navigator released Monday.
Dan Brumleve, a software consultant, found the original security hole in Navigator that lets would-be intruders detect a list of Web sites recently visited by an individual. Even though the new version, Communicator 4.07, includes fixes for the original flaw, Brumleve said Tuesday that they don't work.
"The new hole has the effect of circumventing the read-protection mechanism [employed by Netscape's updated software] in a more general way, allowing any document to insert JavaScript code into another document's context," he explained in an email.
The ability to insert rogue JavaScript instructions into a Web page still leaves browsing information and other sensitive data exposed, he said. Brumleve has written test scripts enabling him to pilfer a user's file directory and "cookies," which often contain private information.
Cookies are chunks of data used by some Web sites to identify the browser, and the user, visiting the site. In the wrong hands, an intruder could visit a Web site using someone else's identity.
Netscape confirmed the hole in its new software.
"We've confirmed that, in fact, it is another privacy bug," said product manager Eric Byunn. "We'll be posting a notice to our Web site about it, as we did on the other one." Byunn said that Netscape will issue a software fix as soon as possible.
As with his earlier finding, dubbed Cache-Cow, Brumleve posted his new findings -- appropriately named Son of Cache-Cow -- with demonstration scripts on his own Web site as a warning.
"Finding the Cache-Cow hole was a freak accident of observation, and zeroing in on this new hole only took a few hours of research," he said. "There are probably dozens of other problems like this that nobody has found yet."
The recurrence of privacy-oriented vulnerabilities are a worrisome sign to some experts that browser companies need to rethink their approach, rather than simply reacting to holes as they're discovered.
"The fact that there are so many little leaks like this is kind of disturbing," said Richard Smith of Phar Lap Software. "I sent a list of 19 problems to Netscape and Microsoft in these areas back in August. Their response was that there was no way to get JavaScript to access this stuff."
Smith ran his own tests and confirmed at least one of Brumleve's newly discovered exploits. He made his own discoveries of vulnerabilities in the Eudora email program last summer.
When the original problem surfaced, Netscape said it would be investigating all aspects of JavaScript to prevent similar situations in the future. But despite the quick discovery of a similar exploit, Byunn doesn't consider the problem systematic.
"This really is a new bug," he said. "It's entirely separate from the previous bug in the way the attack is made under the covers. We really just feel it's more of a coincidence and the fact that there's a smart guy who's working hard to find privacy bugs or vulnerabilities in our products." The company is glad to get the feedback on its software, Byunn said.
But Smith thinks the browser companies need to step back and take a bigger look at interaction between different software components like JavaScript and applications like browsers. What Brumleve is dramatically demonstrating, Smith said, are the impressive capabilities that come from combining browser actions with scripting languages like JavaScript.
"I don't think [any browser company] can give you a [definitive] answer as to whether there's a security hole or not.... They've got to understand how products fit together here. It's almost like Lego. We have the danger that people don't realize that we can put things together to figure out scary security problems."
As more companies use the Web to run critical business applications, security holes may represent lucrative opportunities for electronic intruders.
For example, Smith noted that Microsoft has established a convention that causes its personal finance software, Microsoft Money, to launch automatically. Just like a browser, which can be automatically started with "http://" text in an email message or script, Microsoft Money can be launched using "money://," Smith said.
Therefore, Smith concluded, it's possible to imagine a scenario where a person's financial software could be induced to make an electronic payment to a site, and not necessarily the right one.
In Smith's opinion, "there should be no way that an email message can start up Microsoft Money. That's the complexity issue we get into here."
Smith said Brumleve's exploits could also be carried out via JavaScript included in email messages. By sending a message carrying a rogue script, the Netscape browser could be made to launch and carry out the misdeed.
Brumleve says the latest exploit affects all versions of Netscape's browser that support JavaScript, including the new one. He has not tested the exploits on Microsoft's Internet Explorer software, mainly because he does not regularly use it, he said.
Microsoft representatives could not be reached for comment.
