July 21, 1997
Security Breakdowns
By Bob O'Donnell
It has all the makings of a great spy novel: high-tech intrigue, greed, and millions of
innocent potential victims. This new chapter's title? "International computer expert
discovers fatal flaw in major US firm's product and demands hush money to keep his secret
private."
I'm referring, of course, to the recent discovery of a security lapse in Netscape's
Navigator browser by a computer consultant in Denmark, who unsuccessfully tried to extort
money from the company.
That particular chapter reached a mercifully quick ending, as Netscape was able to
replicate the bug and solve the problem in a matter of days. However, this spy novel about
browser security flaws seems to have no ending. The latest chapter revolves around a hole
in the JavaScript scripting language, found by a Bell Labs scientist, which ended up
affecting virtually every browser available on every platform. Of course, this is on top
of the three or four other major security breaches that have been discovered in various
browsers over the last year or so.
In each case, users were warned to quickly download the latest version of their
respective browsers. On some occasions this meant downloading a patch file that could fix
the current version, but more often than not it meant a complete new download and install.
At 8, 12 or even 22 MB per download, this was (and continues to be) a non-trivial
exercise. Plus, many companies prohibit or highly discourage random file downloading from
the Net, but without the latest versions their users' data was (or is) at risk. To add
insult to injury, Microsoft and Netscape have only chosen to upgrade the most recent
versions of their browsers with these security fixes, partially as a means to
"encourage" upgrades. Many sites still have wide deployments of Navigator 2.0
and other early browsers, which makes the problem even thornier. (It almost makes you
wonder if we can add a touch of conspiracy to our spy story ...)
There have been warnings to turn off Java or JavaScript in your browser to avoid some
of the various security problems. This certainly sounds innocuous enough, but have you
ever tried it? Oh, sure, it's just a set of "Preference" check boxes once you
find them, but do you know where those check boxes are? Go ahead and look. If you're
running a cross-platform shop with multiple versions of different browsers (a fairly
common scenario these days), you'll find them in one of several different places, very few
of which are at all intuitive. Navigator 3 has them under Network Preferences, Navigator 4
(Communicator) has them under Advanced Preferences, Explorer 3.0 uses Language Preferences
and Web Content Preferences, and I've yet to find a place to turn them off in the new beta
of Explorer 4.0.
At this point, I find myself having to join the growing chorus of industry analysts and
frustrated IS managers in saying, "Enough!" When is this unacceptably poor level
of quality assurance going to stop? I realize that Web browsers and the Internet in
general open up a host of difficult issues, but "Find this week's (or month's)
Internet security hole" is not a game we should have to be playing. I also realize
that software is getting incredibly complicated to write and harder and harder to test,
but this is serious business we're talking about. While a bug in the latest version of my
word processor may be annoying, a gaping security hole in my Web browser can be
devastating. There absolutely must be better, more thorough testing of these products
before they're unleashed on an unsuspecting public.
With Microsoft planning to incorporate the Web onto users' desktops under Explorer 4.0
and Memphis, the need becomes even more critical. I have no doubt Microsoft is keenly
aware of this, but given past experience, I wouldn't be surprised if two or three more
critical security flaws are discovered before the end of this year. I certainly hope that
isn't the case, but in their rush to battle for market and mind share, Microsoft and
Netscape don't seem to be placing enough emphasis on the safety of our data.
And that could lead to the novel's scariest chapter of all.
©
Copyright 1997, by InfoWorld Publishing Corp., a
subsidiary of IDG Communications, Inc. Reprinted from InfoWorld,
155 Bovet Road, San Mateo, CA 94402. Further reproduction is prohibited.
