Browser Bug Quickly Becomes a Bee in Netscape’s Bonnet
- Share via
It had the makings of a high-tech thriller--a threatening Internet software bug discovered by a European computer whiz who would reveal it only if he were amply rewarded.
The story went public Thursday evening, when Cable News Network’s financial service, CNNfn, reported that a Danish computer expert had found a bug in the Web browser software created by Netscape Communications Inc. The flaw could serve as a peephole into any user’s computer.
The bug was real. Computer experts at PC Magazine, who regularly test hardware and software, confirmed that when they used Netscape’s software to look at a Web site created by an Aarhus, Denmark, company called CaboComm, computer experts at CaboComm were able to look at a file stored on the hard drive of a personal computer in PC Magazine’s New York offices.
“We gave the Danish company the name of [a] file,” said Jake Kirchner, PC Magazine editor. “They were able to read it back and send us the contents of the file.”
Not everyone can exploit the bug--just someone running a Web site. But if a Web site administrator knows the name of a file on the hard drive of a computer, he or she could see the entire file. The bug exists in Netscape’s software from version 2.0 on up.
Rosanne Siino, head of communications for Netscape, said products with the bugs have been available for about 18 months, and “we’ve not had reports of malicious behavior.”
What made this bug different, however, was that the bug catcher wanted more than a token reward.
On Monday, CaboComm sent an e-mail message to Netscape, saying it had found a bug that could lead to serious privacy violations. A few hours later, Netscape sent a note to CaboComm, offering its usual “bounty” reward: a T-shirt, a Netscape coffee mug and $1,000.
Not good enough, the Danes replied. Their engineer had spent almost a month teasing out the bug.
“We do not want to participate in the bug bounty program,” said Christer Hasse, a spokesman for CaboComm, in a telephone interview.
In an e-mail sent to Netscape, CaboComm talked tough, suggesting that the person “with the company checkbook” at Netscape should respond.
As Netscape engineers scrambled to puzzle out the bug, CaboComm decided to go public.
In the meantime, Netscape created a fix, Siino said. After it is double-checked, Netscape will post the patch on its Web site, possibly early next week.
