Weekly Wire
Nashville Scene Out of Line

Is the Web surfing you?

By James Hanback Jr.

OCTOBER 26, 1998:  At least three major security flaws have been discovered in two of the world's most popular Web browsers, according to recent reports all over the Internet. Unless repaired, the newly discovered flaws could actually allow someone to access and pilfer information from a user's hard drive.

It started with Netscape

Dan Brumleve, a computer consultant in California, discovered a bug in Netscape Communicator (and previous versions of Navigator) he called the "Cache Cow." Later, he discovered a second, potentially more malicious bug he is calling "Son of Cache Cow."

A Web browser's disk cache is space on the hard drive used to temporarily download and store Web pages, images, Java applets and almost anything users see when they visit a Web page. The Web browser then checks what's in the cache against the site the next time the user visits it. If the site hasn't changed, the browser will load some information from the cache so the page doesn't take as long to download.

Cache Cow could allow malicious Webmasters access to a user's cache, which would consequently allow them to see what recent sites the user has browsed. Depending on what type of sites the user has been accessing, the information gleaned by taking advantage of Cache Cow could be dangerous.

Imagine that you have a corporate intranet with Web-based sharing of information. One of your users has been viewing sensitive documents meant only for the company's intranet users, but then he uses the same browser for access to the outside world. If that user happens upon a malicious site, that sensitive corporate information could suddenly be public knowledge.

Netscape reportedly fixed the Cache Cow bug in Communicator 4.07. But only days after the company announced the fix, Brumleve discovered the Son of Cache Cow bug, which could allow Webmasters to steal "cookies" from Netscape. The bug affects every JavaScript-enabled version of Netscape, including 4.07 and the newest version, 4.5.

A "cookie" is common technology among Web sites, used often to store site preferences set by a user so that they remain intact when the user returns to the site. In some cases, it is also used to ease access to password-protected areas of a site.

Brumleve also developed some CGI (Common Gateway Interface) code that uses Son of Cache Cow to steal the file names from a directory on the user's hard drive.

Netscape is reportedly now working on a fix for Son of Cache Cow. The company has renamed the bug the "Injection Bug," because Webmasters can take advantage of it by "injecting" malicious JavaScript code into a Web page.

But Netscape isn't the only browser affected by major security issues of late.

Not to be outdone by Brumleve, a Spanish Webmaster, Juan Carlos Cuartango, has reportedly discovered a major hole in Microsoft's Internet Explorer 4.01 and the beta version of Internet Explorer 5.0. According to recent Internet reports, the IE hole (dubbed the Cuartango Hole) allows malicious Webmasters to steal files from a user's hard drive.

According to Cuartango, the hole is in IE 4.01's scripting technology, which allows some cut-and-paste functions to be performed through the browser's native scripts and in turn allows the Webmaster to bypass some of Microsoft's built-in security measures.

Perhaps more importantly, some experts say the bug can also be exploited in Microsoft's e-mail application, Outlook Express. Simply by opening an e-mail that contains HTML (the language used to format pages for the World Wide Web), an Outlook Express user can potentially open his hard drive up to the world.

And because Microsoft has embedded the IE 4 suite of Internet tools into the latest incarnation of its Windows operating system (you can use IE to browse your hard drive), the potential for havoc-wreaking could be greater than has yet been uncovered.

Microsoft claims to have a fix for the problem, which is available on the Web at http://www.microsoft.com. Netscape Communicator 4.5 may be downloaded from http://www.netscape.com, but it might be wise to wait for the fix for Son of Cache Cow first.

In the meantime, Cache Cow may be less of a risk if users clean out their Netscape cache directories more often. In Communicator 4, this is accomplished by doing the following:

  • Under the Edit menu, select Preferences;
  • In the left-hand frame, click the plus sign beside "Advanced" and select "Cache";
  • In the right-hand frame, click "Clear Disk Cache";
  • To clean out anything cached to your computer's RAM, you may also click "Clear Memory Cache."

Netscape Navigator/Communicator and Microsoft Internet Explorer also provide options for users to disable their respective scripting abilities. Such features, which could help protect users against malicious JavaScript, are located in Netscape Communicator under "Advanced" in the Preferences area. Internet Explorer scripting may be turned off under the Options selection in IE's View menu. Select the "Security" tab and "Custom" to define your own settings.

The problem with disabling scripting, however, is that users may not be able to view some of the content of sites that make use of those scripting languages.

To date, neither Netscape nor Microsoft claim to have heard reports from users who believe they have been victims of the bugs.

Copyright, schmopyright

A new piece of copyright legislation is drawing a storm of criticism from some on the Net who are striving to make information free. On Oct. 12, the U.S. House passed legislation that strengthens copyright protections in cyberspace and implements two 1996 treaties by the U.N. World Intellectual Property Organization.

According to reports at abcnews.com, the legislation is intended to strengthen protections via technology for works transmitted online while ensuring that the public may still access them.

Users are prohibited from circumventing technology on the Internet designed to protect copyrighted works, according to the new measure, which also claims such prevention is necessary because of the theft of works and the loss of billions of dollars in the film, music, and software industries.

Critics claim that the measure violates "fair use" laws, which allow some copyrighted material to be used by others when it is in the context of a review, among other things. The House said it intends to watch over the next two years to determine how the measure will affect fair use.

A piece of the Apple pie

Since the return of Steve Jobs as acting CEO for Apple Computer Inc., the company has seen some good times. Under Jobs, they've rolled out the newest versions of the Mac OS (8.0 and 8.1); they've introduced the high-powered G3 processor; and they've rolled out the iMac, the company's most popular computer in a long while.

Last Wednesday, in an announcement during stock trading (an unusual move for the company), Apple Computer said that it just closed out its first yearly profit since 1995--total fourth-quarter earnings of $106 million with revenues of $1.6 billion.

Computer-industry watchers have noted Apple's gaining momentum over the past couple of quarters, which was a sharp turnaround from the downward trend of the past few years.

Since the launch of the iMac, the turnaround has been even more rapid. The new product won the C|Net "most innovative product" award and has been touted during "Must See TV" on NBC Thursday nights. Jobs said in his announcement last week that 40 percent of the iMac's buyers were new Apple customers, something the corporation has badly needed.

Until late in 1997, speculation abounded that Apple was going under. Now, Jobs says, good times have returned. Apple shipped approximately 278,000 iMacs in the first six weeks of the product's life. Jobs says that makes the little translucent computer the biggest selling Macintosh in history. He attributed the new profitable times to the launch not only of the iMac, but of other new products and some restructuring.

Jobs also announced the launch of Mac OS 8.5. Like Microsoft's Windows '98, this Macintosh upgrade boasts the integration of the Internet with Mac OS. The new version has a feature Apple calls "Sherlock," which is supposed to be able to search the Internet or the user's hard drive without the use of a Web browser.

Email James at james@nashvillescene.com.

Weekly Wire Suggested Links

Page Back Last Issue Current Issue Next Issue Page Forward

News & Opinion: 1 2 3 4 5 6 7 8 9 10

Cover . News . Film . Music . Arts . Books . Comics . Search

Weekly Wire    © 1995-99 DesertNet, LLC . Nashville Scene . Info Booth . Powered by Dispatch