Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

Netscape: unsafe at any modem speed?

Rob Rosenberger, Vmyths co-founder
Saturday, 15 March 1997 THE RECENT DISCOVERY of a Navigator/Shockwave security bug brings to light the hypocrisy of Eric Greenberg, Netscape's senior security product manager. In case you didn't know it, Greenberg kicked Microsoft in the teeth with this holier-than-thou quote:
"We have never had a secu­rity hole in our pro­ducts on the magni­tude of [the Inter­net Explorer] secu­rity hole... We're less prone to this sort of thing."
Mind you, Greenberg said this after the first Microsoft bug came to light, which happened before the most recent Navigator/Shockwave flaw came to light. Greenberg "conveniently forgot" about last year's discovery of the "HTML page o' death," an exploitable bug in Navigator which could theoretically wreak havoc on millions of Netscape users. It took Netscape a full week to release a fix and they didn't even announce it on their home page when it came out. I — yes, I! — helped reporters put last year's Netscape bug in its proper context. It never qualified as a world-threatening problem and I praised Netscape for treating it as such. I've since made my opinion of Greenberg known to every reporter who contacted me about the virus concerns "inherent" to the recent Explorer bugs. Poor Eric: he earned himself a nomination in the upcoming Computer Virus Hysteria Awards.
Wired maga­zine asked the ob­vious ques­tion: "if the solu­tion's so easy, why was there a bug in the first place?"
On March 15th, I talked to a source with ties to Netscape who spoke on condition of anonymity. This person claims the company purposely avoided reporters until they could say "bug? What bug?" during the critical first contact. My source doesn't know if this strategy proved successful — but only a Wired magazine reporter bothered to send me email (after he wrote his story), so the strategy may have worked very well. Microsoft could learn a valuable lesson here. Let the record show: Netscape made no mention of the Shockwave/Navigator solution on its home page as of 15 March 1997 at 8:20pm Eastern time. (My source pointed this out to me.) Microsoft prominently links to an "all-in-one patch" from their home page.
SOME PEOPLE MIGHT argue Microsoft needed to highlight this patch on their home page due to intense negative publicity. I agree — but this argument raises three serious questions:
  1. Why didn't Netscape publicly announce a fix on their home page after PC Week and PC Magazine ran a story about the "HTML page o' death" security bug?
  2. Why didn't Netscape publicly announce on their home page how to protect against the Navigator/Shockwave bug, after numerous media outlets published stories? This security flaw only affects those with the Shockwave plug-in, after all.
  3. And speaking of Shockwave, why doesn't Macromedia announce the solution on its own home page? Do they not want to admit the solution requires a pre-release version of their software?
The answer to these questions comes easily enough. Netscape (rightfully) views this latest bug as an obscure threat and they want to sweep it under the carpet just like they did with the last one. Plus, hypocrites don't like to face their own negative publicity. On a final note — the "HTML page o' death" bug crept back into Netscape's beta 4.0 software, according to the fearmonger who discovered the bug last year. Navigator is once again unsafe at any modem speed. Sic 'em, reporters!
GIVEN ALL THE media hysteria surrounding Microsoft's bugs, you'd think reporters would jump at a chance to write about a new bug which lets anybody on the Internet read your email (even your deleted email). Well, you'd think wrong in many cases. The following news organizations failed to file stories as of 15 March 1997 at 4:30pm Eastern time:
  • news.com. They covered the Explorer bugs with gusto. Not a word about Navigator/Shockwave.
  • PC Magazine. They screamed about Netscape's "HTML page o' death" bug last year. Not a peep from them so far about the Navigator/Shockwave bug.
  • PC Week. They, too, screamed about Netscape's bug last year. Spencer Katt wrote a column about "glitches in several major products, with Internet Explorer, Windows NT 4.0 and Java topping the bug list," but he doesn't mention Netscape.
  • MSNBC. Reporter Alan Boyle covered the Explorer bugs quite well at the expense of his parent company ("Microsoft is a partner in the joint venture that operates MSNBC"). MSNBC didn't touch this story, though. Go figure.
  • PC World. News Radio host Brian McWilliams took the week off; his stand-in only mentioned Explorer bugs. The PC World website announced an (ironic?) ActiveX plug-in for Navigator.
  • Network World. Lots of Explorer-bug stories. Nothing about Netscape.
  • Associated Press and United Press Int'l and Reuters. The three major newswires got pooped-out after covering Explorer bugs.
  • National Public Radio. John McChesney hasn't yet filed a Shockwave story to follow up his report about ActiveX security woes.
  • EliaShim. Actually an antivirus vendor, not a news organization. These guys moved like lightning when the first Explorer bug appeared — and they may have beaten Microsoft in the race to find a solution. Their website displays a flashy graphic touting their free Explorer add-on, but a search of the website turned up absolutely nothing about Shockwave. No security alert, no solution, no nothing.