COMMAND

    The Singapore privacy bug

SYSTEMS AFFECTED

    Systems running Netscape Communicator (Mac, Win and Linux)

PROBLEM

    It produces  identical results  to two  previous flaws  related to
    JavaScript, a  scripting language  Netscape invented  and uses  in
    it's  browsers.  It  allows  a  Web  site administrator to place a
    nearly-invisible  applet  on  a  user's  hard drive then track the
    user's  progress  across  the  Web,  including any data the surfer
    types into the browser such as credit card numbers.

    The Singapore  Privacy Bug  allows a  hacker to  observe a  user's
    activity  on  the  Web.  It  allows  a  hacker web site to exploit
    LiveConnect to observe which URLs  a user visits, the data  a user
    enters  into  HTML  forms  (including  passwords), and data placed
    into a user's cookie file. The bug does not allow a malicious  web
    site operator  to see,  erase, or  steal data  from a  user's hard
    disk.  LiveConnect is a technology that enables communication
    between JavaScript and Java applets in a page.

    According  to  a  technical  director  at  ZDNet,  Franco Ruggeri,
    Chiang's applet is  tiny, one pixel  by one pixel,  and is saucily
    called "not" so the tool  bar on the browser reports  that "applet
    not running" when indeed it is. It then continues speaking to  the
    browser  as  it   continues  on  its   way,  recording  URLs   and
    information that users  enter on many  of the Web  sites the users
    visit. This bug was found Kuo Chiang and you can test it by  going
    on his page:

        http://www.iti.gov.sg/iti_people/iti_staff/kcchiang/bug/

    After  leaving  this  page,  any  web  site  that you subsequently
    visit will  be captured  by this  web server.  The information you
    enter  into  forms  will  be  captured  too, but this however will
    sometimes not work.

SOLUTION

    You may want to  turn off Java/JavaScript until  Netscape resolved
    this bug. Netscape will keep customers informed through updates on
    the Security Solutions page.  By the latest news the fix is  being
    tested and  will be  included in  the   next release  of  Netscape
    Communicator, which is  expected to be  available in the  next few
    weeks.  Netscape 3.03 is available and it fixes this bug.