CyberTimes For Serious Business on the Web: Lotus Domino
July 23, 1997

Netscape and Microsoft Plan
Patches for 2 Security Bugs

Following recent reports of two similar bugs that could allow technically savvy criminals access to online forms that contain bank account records, credit card numbers, passwords and Social Security numbers, the Netscape Communications and Microsoft corporations said on Tuesday that they planned to offer software patches this week.

The two bugs -- one called the "tracker bug" and another called the "Bell Labs bug" -- were reported to the software companies in the last month, but those companies say they have not received reports of abuse.

"Encryption is irrelevant here," said Chris Pfaff, a spokesman for Bell Labs in Murry Hill, N.J., where one of the bugs was discovered. "Even if you were behind a firewall, you could still be tracked,"

Both bugs affect Netscape browsers 2.0 and higher, but not Netscape 3.02 or Netscape Communicator. Microsoft browsers Internet Explorer 3.0 and higher are affected by the Bell Labs bug, but only the Windows 95 and NT versions. Also, Microsoft's Platform Preview 1.0 browser is affected.

Microsoft plans to put up its patches Wednesday morning, and Netscape plans to offer them by the end of the week under the name Netscape 3.03.

Because of two recent bugs, someone can set up a Web site with a JavaScript program that follows users to other sites and reports information back, including the contents of online forms.

The trouble stems from a gap in the JavaScript language. Because of the bugs, someone can set up a Web site with a JavaScript program that follows users to other sites and reports information back, including the contents of fields in online forms. If the user is being tracked, a window, which is not always easily visible, will open on the screen. The "tracker" can use the window to follow the information on the Web page. Technicians recommend that if people see an unexpected window open, they should close it.

For the tracking to set in, the user must visit the so-called malicious site first.

Bell Labs technicians recommend that users disable JavaScript until they download the patches. But Dave Rothschild, director of client product marketing for Netscape, said such action would be extreme. He issued a precaution that was akin to telling children not to play in the street: Stick with known and trusted Web sites.

Some banks and online malls posted security alerts on their Web sites during the last week, including Wells Fargo Bank and the Bank of America. In this case, Wells Fargo officials decided the security risk was low enough to keep running the site, which serves more than 300,000 online banking customers. Once, in the fall of 1995, the bank closed its site for several days because officials deemed a Netscape security risk to be too high.

"We put these (alerts) up because we're very concerned about security," said Lorna Doubet, a Wells Fargo spokeswoman. "If the risk is too great, we won't allow the browser to come in. In this case, we gave the information and let the user choose."

The software companies constantly search for bugs. In fact, Netscape started a program in 1995 called "Bugs Bounty" that offers $1,000 to anyone who finds a valid security bug in the browsers. Twenty people have been paid since December 1995.

The Bell Labs and tracker bugs themselves require substantial knowledge to execute -- knowledge both of JavaScript and the browsers' points of vulnerability.

"They need to know what the security hole is, which we haven't talked about publicly," said Vinod Anupam, the computer science researcher who found the bug at Bell Labs. "They need to know where the back door is."

Still, he does not recommend that users let their browsers go unmended.

"They need to download the patch," he said.

Susan Scott, executive director of a program called Truste, said security bugs should not scare people away from online business. Her program (pronounced trust-E) encourages companies and consumers to do business online.

"Whenever a story comes out, it just feeds into the anxiety the consumers have about doing commerce online," she said.

Truste is part of CommerceNet, a Palo Alto, Calif.-based consortium of 500 companies that do business online. The Truste program's goal is to raise consumer confidence by setting up a rating system in which Web sites inform users how their personal information will be used by the company -- whether it will be shared with marketing research firms or used only for the single transaction. Truste will monitor the sites that carry the program seal to ensure they're following the rules.

Scott believes lack of consumer confidence is keeping people from buying things online. A poll conducted in January by CommerceNet and Nielsen showed that only 15 percent of respondents who used the Internet actually made purchases online.

Bugs notwithstanding, she wants to allay any anxiety. She said it's very difficult to find people whose privacy has been violated via the Internet.

"What we're talking about is a new medium that is under development," Scott said. "Like anything else, it's going to take a while to perfect it. Just because there's a possibility that something can happen doesn't mean it will happen.

"I think it's almost impossible to say, 'I've got a foolproof security system.' "

Related Sites
Following are links to the external Web sites mentioned in this article. These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability. When you have finished visiting any of these sites, you will be able to return to this page by clicking on your Web browser's "Back" button or icon until this page reappears.

Home | Sections | Contents | Search | Forums | Help

Copyright 1997 The New York Times Company

For Serious Business on the Web: Lotus Domino