Maybe the press is still recovering from DefCon, the hacker conference in Las Vegas. A veteran bug hunter found a doozy of a security hole in the Netscape browser on Friday, and stories didn't start trickling in until Monday afternoon. The stories that did show up were slim, and some played fast and loose with the technical details.
Programmer Dan Brumleve found a way to use Java and a Netscape browser to turn your PC into a Web server, offering all the files on your hard disk to the world. Brumleve named the new security hole "Brown Orifice" and posted a demonstration server-in-a-Java-applet on his Web site. He also offered visitors the source code.
This morning the Wall Street Journal's Ted Bridis turned in a fairly thorough piece on Brown Orifice. Noting the bug's impact on business users, Bridis called it a "mixed bag." And he covered all the bases, getting statements from AOL (Netscape's owner), Brumleve himself, security company ISS and antivirus software maker McAfee.
The New York Times ran an AP story that took off from a security alert issued by ISS Monday afternoon. The AP reporter misinterpreted ISS' warnings, treating Brumleve's demonstration as a major security bug in its own right and claiming that Brown Orifice enables remote users to delete other people's files (it doesn't).
Wired News' Farhad Manjoo apparently interviewed Brumleve to get the figure for the number of visits to his exploit page and the number of downloads of the source code: "thousands." CNET's report spent 12 paragraphs on a different bug, a complicated affair involving Microsoft Word, Access and Outlook; Netscape's Java woes rated only four paragraphs. - Keith Dawson
New Hole in Microsoft's Armor
The Industry Standard
Netscape Flaw Displays Hard Drive
Hacker Finds Hole in Netscape
Netscape Web-Browser Software Has Possible Opening for Hackers
Wall Street Journal
(Paid subscription required.)
Bugs Afflict Microsoft, Netscape, Sun
Netscape Security Hole Affects Users(AP)
New York Times