COMMAND

    Netscape Communicator

SYSTEMS AFFECTED

    Win95, NT running Netscape Communicator 4.01a and 4.02

PROBLEM

    Andre L. Dos  Santos found following.   Using the latest  Netscape
    Communicator you are able to get your credit card number, password
    for online banking or online brokerage order, etc, only restricted
    by the imagination of the malicious server implementer.

    This is  due to  a flaw  in Javascript  identified by the Reliable
    Software  Group  at  University  of  California  Santa Barbara. It
    enables a malicious site to track all activities of a user in  the
    Internet.   Besides  being  able  to  get  this information, which
    violates the user's privacy,  by using an ingenious  technique you
    are able to target chosen pages and use a fake server to  convince
    the user to type in privileged information.

    This flaw was  tested in Netscape  Communicator 4.01a, the  latest
    version  of  Netscape,  and  it  is described, together with other
    attacks in paper at:

        http://www.cs.ucsb.edu/~andre/attacks.ps

    Netscape has released  a new version  of Communicator for  Windows
    95/NT.  It  is  Netscape  Communicator  4.02. In this version this
    attack is much more threatening.  This is because on the  previous
    version the access on  the location object was  better implemented
    and in order to get a string value to this object we had to  close
    a second browser we opened. Using the new version of Netscape  you
    are  able,  using  an  infinite  loop,  to  access the string that
    represents the  location object,  against the  security policy  of
    Javascript.  Therefore, using this version, we don't even need  to
    close the second browser.

SOLUTION

    At  this  point,  wait  for  Netscape's response or downgrade your
    software.