Netscape Communications was confronted last week with a Java vulnerability that allows a Java applet to set up a server process to improperly retrieve and distribute information on locally connected networks.
The bug, dubbed "Brown Orifice" (BO), exposes information to malicious users, compromising both privacy and file security.
The situation can be prevented by disabling Java, but Sun Microsystems and Netscape, a subsidiary of Internet giant America Online, are working toward a solution for the bug.
By exploiting the Java vulnerability, an outside server is capable of accessing arbitrary files on the compromised computer or browser system through "file" URLs, said Chris Rouland, a director of the X-Force Security Group at Internet Security Systems (ISS), a security management and consultancy company.
Rouland said all versions of Netscape Navigator and Netscape Communicator versions 4.74 and earlier are defenceless when the Java applet is enabled.
AOL spokesman Andrew Weinstein said that the company is working hard to make available a patch for the Java bug as soon as possible.
In the interim, he advised users to protect themselves by simply turning off Java altogether. The Netscape security hole will collapse once users exit the program, Weinstein said.
But Netscape's shutdown solution to the vulnerability problem is lacking, ISS' Rouland said, because that action would greatly inhibit users' abilities to use and visit Web sites. He suggested that users switch to another browser until the flaw is corrected, due to its seriousness.
"The fact that the code is out there, published, means any script kiddie can copy this and plug it in to a Web site infrastructure and compromise a site," Rouland said. "We consider it a serious attack tool because the first day of any attack is information-stealing."
Microsoft Internet Explorer and Mozilla.org have been tested and do not feature similar browser vulnerabilities at this time, Rouland added.
If a hostile Java applet is launched from a hostile Web page, the applet can download a set of socket classes, permitting it to create a Web server within the browser's Java run-time environment.
By using the socket class and taking advantage of "file" URLs, the exploit code can achieve access to any local files, including any network files that can be reached through file sharing from the local system, ISS officials said.
Unlike other browsers, Netscape does not provide error files when a Java applet tries to open a local file, said Elias Levy, CTO of Securityfocus.com, a security information and community resource site.
Despite the privacy and information protection implications, Levy said the Netscape vulnerability is somewhat limited in how much damage it can inflict on computers or how it can spread.
"You can't really use it to hop from machine to machine," Levy said. The intent is to entice users to access the external Web server that would access their files," he said.
The Java vulnerability appeared just as Netscape was releasing Netscape 6 Preview Release 2, the second downloadable beta version of its Netscape 6 browser, which is expected to be available by the end of the year.
AOL's Weinstein said the Java flaw is not present in the new browser, so that any patch solutions can be replaced by Netscape 6 after its release.
The Preview Release is available at: www.netscape.com/download.