Hacker finds hole in Netscape

The applet could be embedded in any web page; if a surfer accesses the page using a Netscape browser, the applet will run in the background, surreptitiously providing access to the computer’s files. Worse, the applet can be initiated through email messages that are read on Netscape Mail

Security expert Dan Brumleve has found a gaping hole in Netscape Communicator. Brumleve, who discovered the ‘Cache Cow’ flaw and its progeny in 1998, has created a pernicious Java applet he calls ‘Brown Orifice,’ which provides Internet access to a user’s local files.

Exploiting problems in Netscape’s implementation of Java, Brumleve’s applet running on a Netscape browser turns a computer into a file server; it delivers files on the computer’s hard drive to anyone on the Internet. "This is potentially one of the worst things that can happen in browser security," Brumleve said of Brown Orifice, which is named after the infamous hacker utility Back Orifice.
He explained that the applet could be embedded in any web page; if a surfer accesses the page using a Netscape browser, the applet will run in the background, surreptitiously providing access to the computer’s files. Worse, the applet can be initiated through email messages that are read on Netscape Mail, Brumleve said. "Somebody can send you a hostile mail message, and you can send them back all the data on your computer."

"So this is certainly enough to cause a catastrophe," Brumleve said, comparing the applet to the Melissa virus. Using the test link Brumleve provided on his website announcing the hole, Wired News was able to corroborate Brumleve’s claims. The applet, running on Communicator 4.74 on a Windows 98 PC, provided full access to the PC’s files; it persisted until Communicator was shut down.

Brumleve said that the applet would run on versions 4.5 to 4.7 of Netscape Communicator, on Windows-based, and Linux-based computers. Netscape officials said that they are aware of the problem, and that engineers are working on a fix. "We plan to make a patch available, but in the interim, users can protect themselves by simply turning off Java," said Andrew Weinstein, a spokesman for the company.

To turn off Java, a Netscape user should click on the ‘Edit’ menu, choose ‘Preferences,’ and then choose the ‘Advanced’ option. Then, users should make sure that the ‘Enable Java’ option is not checked. Weinstein added that in a few months, the company will release version 6 of its browser, which is not vulnerable to the security hole.

Preview Release 2 of Netscape 6, which does not contain the vulnerability, is available now at the company’s website. Some in the hacker community speculated on Brown Orifice’s non-malicious uses. The applet can be easily used as a Napster-like file sharing utility, Brumleve said, giving a community of users access to files on each other’s computers.

Brumleve spent a day at a San Francisco Internet cafe showing off Brown Orifice and said many people there were using it for file-trading purposes. Brumleve discovered the bug in Netscape while ‘messing around’ with Java last week. He said that once he realized the flaw, "It didn’t take very long to find out how to make the program. I was surprised that nobody has done it until now."
Since developing the applet, Brumleve’s site has received more than 200,000 hits, and thousands of people have downloaded the Brown Orifice source code. Brumleve’s applet exploits two different flaws in Java, he said. One is specific to the Java language: This hole "Allows Java to open a server that can be accessed by arbitrary clients," Brumleve wrote on his site.

The second hole is more dangerous, and is only found in Netscape: It "Allows Java to access arbitrary URLs, including local files." "At this point it’s very unsafe to run Netscape Mail, or even use Netscape as a browser on untrusted sites," Brumleve said.

More..
Yahoo auction case may reveal borders of cyberspace