"If we weren't willing to pay him more money, he said, he would disclose potential bugs to the news media during our developer conference," Treuhaft said. "We obviously didn't negotiate and treated the threats like he was making like a bomb scare."
news.com
----------------------------------------------------------------------------------------------
Netscape faces Communicator bug scare
By Alex Lash
June 12, 1997, 6:45 p.m. PT
Netscape Communications (NSCP) thinks it may be faced with the first major bug in its just-released Communicator software suite, but is having trouble confirming the bug's existence.
The Danish company that claims to have discovered the bug won't tell how it found it or how to test for it. And, so far, Netscape engineers have been unable to find the bug themselves. "Nobody has been able to verify that the shipping version of Communicator is susceptible," said Netscape director of security Jeff Treuhaft. He said Danish security software company Cabocomm verified the bug with a beta version of Communicator.
Cabocomm was not available for comment.
First reported on the CNNfn Web site, the bug allegedly allows a Web site administrator to peruse files on the hard drive of anyone accessing that administrator's site with the Navigator browser--which ships as part of the Communicator suite. To do so, the Web administrator needs to know the exact path and name of the file.
Cabocomm first discovered the hole and contacted Netscape but then asked for money in return for the technical details. Netscape offers $1,000 and a T-shirt to anyone who reports a bug in their software. Netscape says Cabocomm insisted on more before it would hand over its proof.
"If we weren't willing to pay him more money, he said, he would disclose potential bugs to the news media during our developer conference," Treuhaft said. "We obviously didn't negotiate and treated the threats like he was making like a bomb scare."
CNNfn and PC Magazine helped Cabocomm test for the bug, but neither publication will divulge the details to Netscape because they signed non-disclosure agreements--that is, agreements to not pass on any information. Both publications, however, wrote stories that the bug exists and that it poses a potentially serious security hazard.
Netscape is now working with what information it has, trying to determine if the bug indeed exists in the shipping version of Communicator, which became available for download just this week.
"We have to see if it's an HTML form-posting thing, or a JavaScript thing, for example, to see where the potential bug may exist in the product," said Treuhaft.
Truehaft did not know how many copies of Communicator have been downloaded so far.
The bug would be the first major security breach for Communicator, a new suite of groupware and Internet products. Netscape has encountered a series of security problems with its old browser Navigator, as has arch rival Microsoft with its Internet Explorer browser.
-----------------------------------------------------------------------------------------
FYI
Best regards,
Arno
|
