This story was written by Keith Dawson for the Industry Standard's Media Grok email newsletter. It is archived here for informational purposes only because The Standard's site is no more. This material is Copyright 1999-2001 by Standard Media.

THE INDUSTRY STANDARD MAGAZINE
Press Shrugs at Major Java Bug
Aug 08 2000 12:00 AM PDT



Maybe the press is still recovering from DefCon, the hacker conference in Las Vegas. A veteran bug hunter found a doozy of a security hole in the Netscape browser on Friday, and stories didn't start trickling in until Monday afternoon. The stories that did show up were slim, and some played fast and loose with the technical details.

Programmer Dan Brumleve found a way to use Java and a Netscape browser to turn your PC into a Web server, offering all the files on your hard disk to the world. Brumleve named the new security hole "Brown Orifice" and posted a demonstration server-in-a-Java-applet on his Web site. He also offered visitors the source code.

This morning the Wall Street Journal's Ted Bridis turned in a fairly thorough piece on Brown Orifice. Noting the bug's impact on business users, Bridis called it a "mixed bag." And he covered all the bases, getting statements from AOL (Netscape's owner), Brumleve himself, security company ISS and antivirus software maker McAfee.

The New York Times ran an AP story that took off from a security alert issued by ISS Monday afternoon. The AP reporter misinterpreted ISS' warnings, treating Brumleve's demonstration as a major security bug in its own right and claiming that Brown Orifice enables remote users to delete other people's files (it doesn't).

MSNBC's reporter helpfully gave instructions for how to protect oneself by turning off Java in one's Netscape browser. But he added a note about turning off JavaScript, which is not involved in Brown Orifice.

Wired News' Farhad Manjoo apparently interviewed Brumleve to get the figure for the number of visits to his exploit page and the number of downloads of the source code: "thousands." CNET's report spent 12 paragraphs on a different bug, a complicated affair involving Microsoft Word, Access and Outlook; Netscape's Java woes rated only four paragraphs. - Keith Dawson

New Hole in Microsoft's Armor
The Industry Standard

Netscape Flaw Displays Hard Drive
MSNBC

Hacker Finds Hole in Netscape
Wired News

Netscape Web-Browser Software Has Possible Opening for Hackers
Wall Street Journal
(Paid subscription required.)

Bugs Afflict Microsoft, Netscape, Sun
CNET

Netscape Security Hole Affects Users(AP)
New York Times
(Registration required.)