Netscape quietly placed a patch on its Web site last week to address a security flaw discovered by developers in the Windows 95 version of the company's Netscape Navigator 3.0 Web browser.
"We placed the patch up on Wednesday night, without any sort of announcement," says Donna Sokolsky, a spokeswoman for Mountain View, California-based Netscape.
It followed the discovery of a security flaw in Navigator 3.0 that crashes Navigator's email reader when it receives certain email messages. In some instances, this can lock up a user's entire system. Compounding the problem is that it is apparently difficult for users receiving these email messages to delete them from Navigator's inbox without causing another crash, according to one developer.
"It would be pretty easy for a malicious person to send an email that could crash someone else's system. We have nicknamed these messages `email letter bombs'," says a long-time Windows developer.
Before placing the patch on the company Web site, Netscape officials acknowledged the problem in a written response to developers, saying they would "give the bug immediate attention" and correct it in an "upcoming release of Navigator".
In their response to developers, Netscape officials say the bug fits into the "denial of service" category. They say the bugs are interesting in that they cause Navigator to "go off in the weeds" and make it appear the program has hung up. Such bugs are typically difficult to fix, Netscape officials say, but in this case, they have a fix. They don't indicate, however, in which version of Navigator they will permanently resolve the problem.
Navigator 4.0 is scheduled to be released in next year's first quarter. A beta version of Navigator 4.0 will be unveiled at the Netscape Internet Developers' Conference this week in New York.
Part of the problem revolves around the more advanced technologies in Navigator, such as its capability to automatically display an HTML page in the email reader. "All these new technologies flying around -- in Netscape's case, the ability to show these HTML attachments automatically -- open up the box to these sorts of problems," according to one developer.
To create of an email letter bomb, developers says, email senders need only compose an email message in Navigator 3.0 that contains BOOM.HTM as an attachment. When the Netscape Mail program opens, Navigator locks up. The lockup happens when the Mail program tries to display the attachment. The Netscape Mail program is supposed to automatically show email detachments.
Although more experienced users might typically kill Navigator when it has hung up, by hitting the Control-Alt-Delete keys, less experienced users may turn their machines off and lose some data.