"The issue could allow a malicious person to create a Web page that is intentionally designed to exploit this problem, to view the contents of a text file, HTML file, or graphic image from a user's hard disk."
All the bugs involve the same type of security breach, which is the unauthorized, remote access to a user's hard drive. Ironically, the bug was initially created by Netscape, which implemented a feature in Navigator that Microsoft - eager to catch up on the feature front - replicated in Internet Explorer.
The benefits of the File Upload feature were experienced immediately: passwords, shopping carts, dynamically generated pages based on an end-users' client-side preferences. The tradeoff for these new features, however, appears to be an ongoing security hazard.
"The threat is real, and you have no way of knowing if it has already taken place, because it probably wouldn't leave any traces behind," said Charles Reese, a security consultant at NetCraft Network Services. "You're really not safe leaving your browser open while online for any long period of time on anyone's Web page but your own."
Netscape wrestled with similar problems in July, August, and September, when the Danish Privacy Bug, the French Privacy Bug, and the Santa Barbara Privacy Bug arose. With each new bug, Netscape's response was to post a fix - i.e., let users download an updated version of the browser.
The general browsing public is probably unaware that these bugs even exist, and neither Netscape nor Microsoft has done much to publicize them - although the companies have posted near-identical assurances that the danger is minimal, because a malicious webmaster would have to know the exact location of the file on the user's hard drive. The companies do concede, however, that just about anything on an end-user's hard drive - if it can be loaded via HTTP - is at risk: form data, passwords, cookie data, system allocation files, preference files, even class files.
Reese contends that "having to know the exact path and filename for the desired file is a minimal hindrance. Cookie files, for instance, are almost always stored in the same default location."
Both Netscape and Microsoft developed "fixes" for the specific implementations of the bugs, but as soon as one exploit has been patched, another seems to emerge.
"I think it's important not to generalize based on a misreading that calls several bugs 'one big bug repeating itself over and over,'" he cautions.
Others contend that the latest string of bugs is the inevitable result of the features battle between Microsoft and Netscape.
Both Microsoft's and Netscape's browsers offer a Band-Aid solution - disabling the scripting functionality for "untrusted sites" - as well as patches for each specific bug. And while the patches may work for these particular bugs, the inherent security hole still exists, and could be exploited in other ways.
A source close to Microsoft said "it would be nice to add in a lot more notification into the [IE 4] scripting model for being notified of all sorts of things." He added that the File Upload bug was simply another good example of the need for a more thorough end-user notification system.
For the time being, it appears that Web users are presented with three options: Trust it, disable it, or ... just don't worry about it.
Netscape Dodges Bug, 'Extortion' Bullet
IE Security: Playing Catch-Up with Netscape
Netscape 3.0 Users Will Wait for Bug Fix
New IE 4.0 Security Hole Discovered