[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [escepticos] the Big Brother
Jose M. Bello Dieguez wrote:
> Mig, acabo de probarlo y me he quedado de piedra. Asombroso. ¿Qu´e dicen los
> informáticos de la lista?
>
> Saludos,
>
> JM
Si tu vas a la pagina y accesas los comentarios de la midia, pues te
asustas aun mas, y las fechas son bastante recientes, del orden de
cuatro o cinco dias atras solamente. Coloco aqui solo el comentario de
Wired News:
Browser Privacy Fix Fails
by Chris Oakes
10:35 a.m. 7.Oct.98.PDT
The man who discovered a vulnerability in
Netscape's Navigator browser wasted no
time in finding a similar problem in the latest
version of Navigator released Monday.
Dan Brumleve, a software consultant, found
the original security hole in Navigator that
lets would-be intruders detect a list of Web
sites recently visited by an individual. Even
though the new version, Communicator
4.07, includes fixes for the original flaw,
Brumleve said Tuesday that they don't work.
"The new hole has the effect of
circumventing the read-protection
mechanism [employed by Netscape's
updated software] in a more general way,
allowing any document to insert JavaScript
code into another document's context," he
explained in an email.
The ability to insert rogue JavaScript
instructions into a Web page still leaves
browsing information and other sensitive
data exposed, he said. Brumleve has written
test scripts enabling him to pilfer a user's file
directory and "cookies," which often contain
private information.
Cookies are chunks of data used by some
Web sites to identify the browser, and the
user, visiting the site. In the wrong hands, an
intruder could visit a Web site using
someone else's identity.
Netscape confirmed the hole in its new
software.
"We've confirmed that, in fact, it is another
privacy bug," said product manager Eric
Byunn. "We'll be posting a notice to our Web
site about it, as we did on the other one."
Byunn said that Netscape will issue a
software fix as soon as possible.
As with his earlier finding, dubbed
Cache-Cow, Brumleve posted his new
findings -- appropriately named Son of
Cache-Cow -- with demonstration scripts on
his own Web site as a warning.
"Finding the Cache-Cow hole was a freak
accident of observation, and zeroing in on
this new hole only took a few hours of
research," he said. "There are probably
dozens of other problems like this that
nobody has found yet."
The recurrence of privacy-oriented
vulnerabilities are a worrisome sign to some
experts that browser companies need to
rethink their approach, rather than simply
reacting to holes as they're discovered.
"The fact that there are so many little leaks
like this is kind of disturbing," said Richard
Smith of Phar Lap Software. "I sent a list of
19 problems to Netscape and Microsoft in
these areas back in August. Their response
was that there was no way to get JavaScript
to access this stuff."
Smith ran his own tests and confirmed at
least one of Brumleve's newly discovered
exploits. He made his own discoveries of
vulnerabilities in the Eudora email program
last summer.
When the original problem surfaced,
Netscape said it would be investigating all
aspects of JavaScript to prevent similar
situations in the future. But despite the quick
discovery of a similar exploit, Byunn doesn't
consider the problem systematic.
"This really is a new bug," he said. "It's
entirely separate from the previous bug in
the way the attack is made under the
covers. We really just feel it's more of a
coincidence and the fact that there's a smart
guy who's working hard to find privacy bugs
or vulnerabilities in our products." The
company is glad to get the feedback on its
software, Byunn said.
But Smith thinks the browser companies
need to step back and take a bigger look at
interaction between different software
components like JavaScript and applications
like browsers. What Brumleve is dramatically
demonstrating, Smith said, are the
impressive capabilities that come from
combining browser actions with scripting
languages like JavaScript.
"I don't think [any browser company] can
give you a [definitive] answer as to whether
there's a security hole or not.... They've got
to understand how products fit together
here. It's almost like Lego. We have the
danger that people don't realize that we can
put things together to figure out scary
security problems."
As more companies use the Web to run
critical business applications, security holes
may represent lucrative opportunities for
electronic intruders.
For example, Smith noted that Microsoft has
established a convention that causes its
personal finance software, Microsoft Money,
to launch automatically. Just like a browser,
which can be automatically started with
"http://"; text in an email message or script,
Microsoft Money can be launched using
"money://," Smith said.
Therefore, Smith concluded, it's possible to
imagine a scenario where a person's
financial software could be induced to make
an electronic payment to a site, and not
necessarily the right one.
In Smith's opinion, "there should be no way
that an email message can start up
Microsoft Money. That's the complexity issue
we get into here."
Smith said Brumleve's exploits could also be
carried out via JavaScript included in email
messages. By sending a message carrying
a rogue script, the Netscape browser could
be made to launch and carry out the
misdeed.
Brumleve says the latest exploit affects all
versions of Netscape's browser that support
JavaScript, including the new one. He has
not tested the exploits on Microsoft's Internet
Explorer software, mainly because he does
not regularly use it, he said.
Microsoft representatives could not be
reached for comment.