• silicon.com
• Technology
• Security

By Sally Watson, 9 August 2000 00:25

NEWS A security hole has been discovered in Netscape Navigator which allows the browser to be turned into a covert web server. This is the claim of US hacker Dan Brumleve, who posted a software program, called Brown Orifice, to the web which exploits a hole in the browser's Java interpreter, making local files accessible to the outside world. The user does not need to open an attachment or start a program running to start the attack. "I've discovered a pair of new capabilities in Java, one residing in the Java core and the other in Netscape's Java distribution," Brumleve wrote to users on his home page. "The first allows Java to open a server which can be accessed by arbitrary clients. The second allows Java to access arbitrary URLs, including local files." Once the Java applet has been installed in the browser, it creates a web server within the browser's runtime environment allowing anything on the system to be accessed. According to Brumleve, users need only to surf through a web page carrying the program to be at risk. Once the Java applet has been activated, files remain exposed until the user exits the browser completely. John Hayday, knowledge services director at Internet Security Systems (ISS), said this was the first time a Java bug had been discovered in Navigator. "Java is quite a powerful programming language," he said. "It normally operates in a self contained 'sandbox' providing protection, but in this case it doesn't work." Although intrusion detection software can identify the applet once it is known about, Hayday warned active code on the web will always pose a risk. "You can only prevent this if you are prepared to stop downloading active content," he said, "and that restricts the functionality of the web." Hayday criticised Brumleve for posting Brown Orifice publicly. "This was probably around for four or five days before it went mainstream. That gives people time to play with it and mutate it," he said. But in an interview with silicon.com earlier this year, Sir Dystic, author of another hacking program, Back Orifice, said this type of action was a constructive warning. "Back Orifice was saying this is the most obvious and easy way that somebody is going to take over your computer and there's no defence for it - nobody's dealing with these issues," he said. A spokesman for Netscape said the company takes all security issues very seriously. "We are working to quickly evaluate and address this concern," he said. "We plan to make a patch available, but in the interim users can protect themselves by simply turning off Java."