The Java security bug attributed to versions 3.x and 4.0 of Microsoft Internet Explorer may also apply to some configurations of Netscape Navigator. Ben Mesander, a senior consultant at Creative Concepts in Colorado, says he has found a way to tell a Java applet to open a network connection to a different server than the one it came from.
Initially, it appeared that only Explorer had the bug, which allows Java applets to lead the browser to any server and can start loading files quietly in the background - in apparent contravention of Java security specs. Mesander demonstrates and details the flaw on his home page at http://neurosis.hungry.com/~ben/msie_bug .
Microsoft has confirmed Mesander's findings and has posted its own explanation on the Internet Explorer security Web page (http://www.microsoft.com/ie/security). Although Microsoft claims that the flaw only lets unscrupulous sites download images or run applets that load Java classes from other sites onto the visitor's hard drive, Mesander says the flaw "can be easily abused" to dig up information inside a company's firewall and send it back outside.
Netscape hasn't responded to Mesander's claims and wasn't available for comment.
Creative Concepts. is at http://www.creativecorp.com/.