Netscape Software for Cruising Internet
Is Found to have Another Security Flaw

The Wall Street Journal
Monday, September 25, 1995
by Jared Sandberg

Another security flaw that has long plagued the Internet has been found in software by Netscape Communications Corp. and others, raising concerns for the privacy and safety of information on the global computer network.

The flaw in Netscape's popular Navigator software, which helps users cruise the multimedia portion of the Internet known as the World Wide Web, is the third defect in the software discovered by the "Cypherpunks" discussion group in little over a month. Members of the Cypherpunk group, which includes mathematicians and hackers who discuss the security method of cryptography, last month broke Netscape's "key" that protects sensitive data by "brute force" -- the use of massive computing power. Last week, other members found a flaw that could let hackers essentially pick the lock in Netscape's software.

Unlike the prior glitches, however, the latest flaw doesn't lend itself to the theft of multiple credit-card numbers. Instead, it could allow a savvy hacker to damage an Internet user's computer, such as crashing the computer or deleting files.

"This is just another indication that Netscape isn't being careful," said William Cheswick, a security researching at AT&T Corp.'s Bell Laboratories.

Still, he said, the flaw goes well beyond Netscape. It first reared its head seven years ago when Cornell graduate student Robert Morris used it to create a "worm" that crippled thousands of computers on the Internet. Last February, the same kind of flaw was found in the popular Mosaic program created by the University of Illinois. But that strain of the flaw was more serious than its latest appearance because if affected the computers that store many users' credit-card numbers. Now experts are discovering that the flaw shows up in other so-called Web browsers such as Links and Arena.

We're so glad that the network dog dances, we don't realize that its' rabid," Mr. Cheswick said of the programming quality of many software packages.

Marc Andreessen, vice president of technology at Netscape said the company will issue fixes for the recent glitches later this week. He added that it's unclear whether anything other than temporarily crashing a user's computer could result from the recent flaw. But, he said, once users adopt the modified software, "this problem won't be around long enough to cause a problem."

Some, however, worry that another variation of the flaw will prove more difficult to cope with in the coming months. Bruce Fancher, president of Phantom Access Technologies, Inc., operator of the MindVox Internet access service, said a variation of the security hole has been found in several Unix software packages, which run on thousands of Internet computers that contain user's credit-card numbers and other personal information. It could cause far more damage than the Netscape flaw, he said. "This is going to be a big problem," warned Mr. Fancher, adding that he's been told that hackers are already devising software toolkits to exploit the hole. "This flaw is an easy mistake to make, but it's also easy to fix," he said.

The latest flaw came to light early Friday morning when a reader of the Cypherpunk mailing list discovered the glitch and posted a message to the Internet. Basically, the software on an end-user's machine allows for commands that are too long, letting and intruder tack on an extra line of damaging code that could crash the computer. Instead, the software should verify the length of the commands that computers accept.

Security buffs concede that the recent round of security glitches found in several pieces of software, including a virus found in Microsoft Corp.'s Word program and security problems at America Online Inc., has shaken confidence in electronic commerce. But they say the publicity brings to light problems that will ultimately make software more secure. Richard Lethin, a graduate student at Massachusettes Institute of Technology who participates in the Cypherpunk discussion said: "This technology for electronic commerce is ultimately going to be real important, but there might be some hiccups at the start." ?