COMMAND

    Netscape Communicator

SYSTEMS AFFECTED

    Netscape Communicator 4.[56]x

PROBLEM

    Peter W. found following.  This advisory describes a flaw verified
    in Netscape Communicator 4.6-0 as distributed by Red Hat  software
    for  x86  Linux  and  Communicator  4.51  and 4.61 for Windows NT.
    Communicator  does   not  enforce   "originating  server"   cookie
    restrictions as  expected when  JavaScript is  enabled, leading to
    privacy issues for users who may think they have taken  reasonable
    precautions.

    Communicator 4.6 has a  setting to warn before  accepting cookies,
    and  another  to  "Only  accept  cookies originating from the same
    server as the page being viewed".  That latter option is  supposed
    to, and used to, completely and quietly reject "DoubleClick" style
    third party ad  cookies, i.e., cookies  from servers that  did not
    produce the main HTML document.  These third party ad servers  use
    cookies  to  track  Web  users  as  they  move  through completely
    unrelated Web  sites.   By accepting  the cookie,  one allows  the
    third party to compile a profile of visits to other Web sites that
    use the third party's ad service (though normally the third  party
    does not know the end user's exact identity).

    Peter noticed  a warning  for a  cookie (for  doubleclick.net) not
    from the  domain of  the page  he was  viewing (newsalert.com)  --
    which the cookie settings should  have rejected outright.  If  you
    turn off  the warning,  Netscape silently  accepts the doubleclick
    cookie,  although   you  still   have  the   "originating  server"
    restriction enabled.

    Means of exploit?   The reason?   You have JavaScript  enabled for
    Web browsing.  The offending  newsalert page used a tag  something
    like

        <SCRIPT language="JavaScript1.1" SRC="http://ad.doubleclick.net/...">

    and  Communicator  seems  to  interpret  this  as  a  "page"  from
    doubleclick when it's only  getting a snippet of  JavaScript code.
    Intent?  Peter has been in communication with DoubleClick on  this
    issue.   They  raise  credible  reasons  to justify using <SCRIPT>
    instead of simple <A><IMG> tags: preventing caching, and  allowing
    the ability to use media  other than simple images for  their ads.
    Nevertheless,  this  technique  does  subvert  user   preferences,
    regardless of whether this  was the original intent.   DoubleClick
    does  have  an  "opt  out"  program  that sets a generic cookie to
    prevent  further  tracking;   see  http://www.adchoices.com/   for
    details.

SOLUTION

    Concerned Netscape users should  either turn on warnings  and read
    notices  carefully,  disable  JavaScript,  or  completely  disable
    cookies.   The  cookie   security  mechanism  should  not   accept
    <SCRIPT SRC="..."> as a valid "page" for the purpose of the cookie
    settings.  Nor should it allow any similar means of bypassing  the
    "originating  server"  restriction,  including  external CSS files
    (by  specifying  a  style  sheet  from  a  different  domain  with
    <link rel="stylesheet"  type="text/css" href="...">  you can  also
    sneak a cookie past the "originating server" restriction, but only
    if  both  style  sheets  and  javascript  are  enabled)  or  other
    documents not of type text/html.