Browser bugs continue

This has not been a good month for browser security. Late last week independent researchers discovered gaping holes in both leading browsers' JavaScript modules that could grant determined Web hackers access to files and information on the browsing computer. Though they're unlikely to jeopardise your privacy or data, the flaws do pose that risk.

This has not been a good month for browser security. Late last week independent researchers discovered gaping holes in both leading browsers' JavaScript modules that could grant determined Web hackers access to files and information on the browsing computer. Though they're unlikely to jeopardise your privacy or data, the flaws do pose that risk.

Only days after it posted Navigator version 4.07 to close a nasty JavaScript security hole (the Brumleve or Cache-Cow bug) Netscape Communications has acknowledged yet another gap in the browser's armor: The Injection Bug, also known as Son of Cache-Cow, uses a slightly different technique to perform the same sleight-of-hand-downloading of the list of Web sites and files you've browsed. To make matters worse, the new exploit also reveals the contents of cookies and file directories on your hard disk. Netscape is working on a patch to close the hole for good.

Meanwhile, Spanish security researcher Juan Carlos Cuartango has discovered an even more alarming bug in Microsoft's Internet Explorer 4.01 that allows malicious HTML coders to actually steal files from your hard disk. The only catch is that the Web hacker must know the file's path and file name in advance--not a problem for key Windows configuration and other sensitive data files. Internet Explorer Product Manager Mike Nichols confirmed that Microsoft is working on a patch for this hole, but couldn't say when it would be posted on the company's Web site.

If you'd rather be safe (and somewhat inconvenienced) than sorry, both companies recommend that you disable your browser's ability to execute JavaScript until a patch is released.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]