The Lycos Network Find it  - Talk about it  - Shop for it   


Print this   ·   Email it

Browsers Mask a Bug in Feature's Clothing
by Lisa Rein

4:58 a.m. Nov. 12, 1997 PST


While Netscape and Microsoft play tit-for-tat, matching one intricate browser feature with the next, an age-old bug is beginning to beg some attention. Its nom de guerre changes with each new incident, but its impact on users remains the same: If you browse the Web, a wide variety of your hard-drive files can be covertly uploaded to malicious-minded Web servers.

In the past few months, Microsoft has posted three new bugs to its security site: the Bell Labs Bug, the Java Redirect Issue, and the Fried Burg Text-Viewing Issue. Microsoft describes the latter as follows:


Corner Store
- - - - - - - -
Editorial policy

Sponsored by Ericsson, The complete WAP package.
  Today's Headlines
2:55 p.m. Aug. 16, 2000 PDT
MS Server Attack Tool Unleashed

Feds: Med Trials Need Disclosure

Britain Endorses Embryo Cloning

Gene-Altered Wheat Controversy

AOL: 'Linux for the Lame?'

A Cut Above Traditional Surgery

It'll Be an Open-Source World

Linux Mounts MS Offense

Spy Game Intrigues Techies

FDA Approves Laser Trials

Israeli Net Access: Not So Fast

New Processor Makes Cleaner Fuel

Seeing Volcanoes in 3-D

Rippers Ready to X-Rumble!

Taking 'Toxic' Out of Toxic Waste

Netscape 6: Getting Warmer

Mitel Makes 'Breakthrough' Chip

Getting a Line on Nanochips

First DVD Recorder Debuts

"The issue could allow a malicious person to create a Web page that is intentionally designed to exploit this problem, to view the contents of a text file, HTML file, or graphic image from a user's hard disk."

All the bugs involve the same type of security breach, which is the unauthorized, remote access to a user's hard drive. Ironically, the bug was initially created by Netscape, which implemented a feature in Navigator that Microsoft - eager to catch up on the feature front - replicated in Internet Explorer.

"It's really a very simple bug," explains Christian Orellana, who discovered the Danish Privacy Bug that caused such an uproar - including Netscape's cries of extortion - in June. "The problem is when that nice HTTP File Upload feature which Navigator has had since version 1.1 combines with JavaScript."

The three newest Microsoft bugs amount to different implementations of this JavaScript/File Upload combination. The File Upload feature originated in an Internet draft submitted to the Internet Engineering Task Force standards body by Xerox PARC's Larry Masinter. Although this was labeled "experimental," rumor has it, much to Masinter's dismay, that the feature was hastily implemented into Navigator 2.0. As implemented, the JavaScript File Upload feature provides an input field for entering the name of a file to upload to a Web server. As a precaution, only the user is supposed to enter the value of this field. In reality, however, JavaScript allows the File Upload field value to be set dynamically, enabling a Web server to upload a file unbeknownst to the end user.

The benefits of the File Upload feature were experienced immediately: passwords, shopping carts, dynamically generated pages based on an end-users' client-side preferences. The tradeoff for these new features, however, appears to be an ongoing security hazard.

"The threat is real, and you have no way of knowing if it has already taken place, because it probably wouldn't leave any traces behind," said Charles Reese, a security consultant at NetCraft Network Services. "You're really not safe leaving your browser open while online for any long period of time on anyone's Web page but your own."

Netscape wrestled with similar problems in July, August, and September, when the Danish Privacy Bug, the French Privacy Bug, and the Santa Barbara Privacy Bug arose. With each new bug, Netscape's response was to post a fix - i.e., let users download an updated version of the browser.

The general browsing public is probably unaware that these bugs even exist, and neither Netscape nor Microsoft has done much to publicize them - although the companies have posted near-identical assurances that the danger is minimal, because a malicious webmaster would have to know the exact location of the file on the user's hard drive. The companies do concede, however, that just about anything on an end-user's hard drive - if it can be loaded via HTTP - is at risk: form data, passwords, cookie data, system allocation files, preference files, even class files.

Reese contends that "having to know the exact path and filename for the desired file is a minimal hindrance. Cookie files, for instance, are almost always stored in the same default location."

Both Netscape and Microsoft developed "fixes" for the specific implementations of the bugs, but as soon as one exploit has been patched, another seems to emerge.

"It does not surprise me that adding JavaScript to a Web browser has resulted in a frustratingly long string of security holes," explains David Flanagan, author of JavaScript: The Definitive Guide, which JavaScript creator Brendan Eich has described as "a must-have reference." "Since JavaScript-related security holes fall into only a few broad classes with similar symptoms, it is not at all surprising that IE appears to exhibit the same bugs as Navigator," Flanagan added.

So what can be done, exactly? In short, not a lot. In the same way that people think of useful ways to get features to interact with each other, they also find ways to exploit the new features. Netscape's Eich argues that the recent bug developments may not all be related to JavaScript's problems, however.

"I think it's important not to generalize based on a misreading that calls several bugs 'one big bug repeating itself over and over,'" he cautions.

Others contend that the latest string of bugs is the inevitable result of the features battle between Microsoft and Netscape.

"There was no reintroduction of errors, no malice involved. It's just trying to do things on Internet time," explains John LoVerso, researcher at the Open Group Institute and author of the JavaScript Problems I've Discovered site, which also details the media's inaccurate portrayal of the issue.

Both Microsoft's and Netscape's browsers offer a Band-Aid solution - disabling the scripting functionality for "untrusted sites" - as well as patches for each specific bug. And while the patches may work for these particular bugs, the inherent security hole still exists, and could be exploited in other ways.

A source close to Microsoft said "it would be nice to add in a lot more notification into the [IE 4] scripting model for being notified of all sorts of things." He added that the File Upload bug was simply another good example of the need for a more thorough end-user notification system.

For the time being, it appears that Web users are presented with three options: Trust it, disable it, or ... just don't worry about it.

Related Wired Links:

Netscape Dodges Bug, 'Extortion' Bullet

IE Security: Playing Catch-Up with Netscape

Netscape 3.0 Users Will Wait for Bug Fix

New IE 4.0 Security Hole Discovered

Have a comment on this article? Send it.
Printing? Use this version.
Email this to a friend.

Feedback  |  Help  |  About Us  |  Jobs  |  Advertise
Editorial Policy  |  Privacy Statement  |  Terms and Conditions

Copyright © 2000 Wired Digital Inc., a Lycos Network site. All rights reserved.