[Fair use for education and research purpose only]

Title: IE5 Browser "Bug" Detected; E-mail Passwords At Risk?

Source: Newsbytes Publication date: 2000-05-08

A Seattle glitch hunter says he has found a security flaw in Microsoft's [NASDAQ:MSFT] Internet Explorer 5 browser that makes it possible for a hacker to use a Web page they designed to gather such sensitive data as a Web surfer's browser history, or even their e-mail passwords.

Bennett Haselton, who is both an anti-censorship advocate and a glitch hunter, has posted a demonstration of the problem on his Peacefire.org site, (http://www.peacefire.org ), which normally is devoted to efforts blocking censorship of content to and from young people. It now contains links to three Internet hacking "exploits," or security risks, that Haselton has uncovered since April 24.

Of his latest discovery, Haselton told Newsbytes today, "The main threat is that it can be used to intercept people's e-mail passwords. Just by visiting one Web page, someone could have their passwords intercepted."

The exploit can only work in fairly peculiar, though not unheard-of circumstances. To be at risk to the IE 5 bug, a Web surfer must have the Netscape browser set as their computer's default browser - the one that opens automatically, for instance, when they tap on a hyperlink sent to them through e-mail. But they must open Internet Explorer and point it to a Web page into which exploiting code has been written. Many computers use both browsers.

Netscape's source code contains a JavaScript file that always, upon installation, goes to a user's hard drive in the same location, at C:\Program Files\Netscape\Users\default\prefs.js , unless a different drive than "C" is designated. Because it is in an easily predictable location, it is possible to write code into the HTML (hypertext markup language) of a Web page that can "overload" the JavaScript file on the hard drive and make it perform other unwanted functions, such as collecting e-mail addresses or passwords, and to retrieve browser histories, Haselton said.

Netscape reportedly has long been aware of the problem and has fixed it so that it cannot be exploited directly through Netscape's own browser. But, according to reports, Microsoft has not done anything about the hazard, making it possible to take advantage of the breach when the Explorer browser is in use. Haselton said that both Microsoft and Netscape have acknowledged the problem, but that neither of them plan to do anything about it because each blames the other. Published reports suggest much the same thing.

Officials at Netscape could not be reached for comment today. A Microsoft public relations worker referred to the flaw as "the alleged problem," but did not otherwise comment on the situation, and was unable to point Newsbytes to a quotable source in time for this story. However, Haselton said that he was able to demonstrate for several people who didn't believe him that there is a real risk, by collecting their e-mail passwords after they visited his glitch-demonstration Web site, at http://www.peacefire.org/security/localjs/ , and mailing the information back to the doubters. Newsbytes was unsuccessful today in reaching three of the people whose e-mail passwords Haselton says he nabbed off the Web.

Meanwhile, Haselton indicated, he has received hundreds of generated e-mails from people who visited his demonstration page and had their entire browser viewing history, name, e-mail address, and other information, forwarded to him automatically.

Haselton suggested that both companies are at fault for the breach, though the blame may be slightly more Microsoft's. "The consensus among most people who study browser security issues is that it's slightly more Microsoft's responsibility," he said. "Microsoft is saying that Netscape should not have the JavaScript file in an obvious location, and what Netscape is saying is that Microsoft should not load a JavaScript file in one domain to a page located in another domain."

Haselton acknowledged copycats might take advantage of his discovery, especially if nothing is done to plug the gap. It is possible to detect if a Web page contains script capable of manipulating the Netscape JavaScript file, though most people would rarely scan Web-page source code looking for such a clue.

"It would be unlikely that anyone would ever know or notice anything," he said. "And you would never be warned or prompted, so unless you are in the habit of viewing the source code of every page you look at, you would never know it happened to you."

Haselton acknowledges that what he does is a form of hacking, though it is what one might call "benevolent hacking." Companies generally send out thanks to programmers who alert them to bugs in their software, and Netscape has even been known to pay $1,000 to bug hunters. Haselton says he is doing it not to point out flaws to people who would exploit them, but to alert the companies so that the problems can be fixed.

"If you discover one of these flaws, what would be a good reason not to publicize it?" he asked. "It's always good to release the information, because the sooner you release it, the less likely it will be that someone will find it and use it for the wrong reasons."

The security flaw demonstration is on the Peacefire.org site at http://www.peacefire.org/security/localjs/ .

Reported by Newsbytes.com, http://www.newsbytes.com

14:04 CST (20000508/Press Contact: Bennett Haselton

http://realcities.yellowbrix.com/pages/realcities/Story.nsp?story_id=10385350&site=charlotte&ID=realcities&scategory=Internet

====================

-- (Dee360Degree@aol.com), May 08, 2000