SAN FRANCISCO (05/05/2000) - Microsoft Corp. and Netscape Communications Corp. are at odds over who is to blame for a browser-related security hole that could make Web sites vulnerable to attack from hackers.
Netscape's Communicator browser includes JavaScript, a scripting language that enables Web authors to create interactive Web sites and is supported by script from Microsoft's rival browser Internet Explorer (IE). However, some IE scripts which are only meant to be accessed by the user are exposed to attack in the Communicator browser, a Microsoft official and an independent analyst confirmed today.
Microsoft said it is up to Netscape to protect the privacy of the scripts in Communicator, no matter where they originated from. Netscape officials could not be reached for comment today.
"The Microsoft Internet Explorer security model allows a Web site to run any script or program that it trusts," Scott Culp, a Microsoft security program manager, said today in a telephone interview. "The program exposes some fairly powerful functionality that allows a hostile Web site to glean information from a user's machine."
However, one security analyst said Microsoft should fix the bug itself.
"Microsoft built the architecture that made it (the hole) possible," David Perry, a spokesman for antivirus software vendor Trend Micro Inc., said today in a telephone interview.
However, Microsoft said it is Netscape's responsibility to protect the script from attack. "The real problem is Netscape Communicator taking a powerful script and putting it out on your computer in a locale where any Web site can find it out and run it," Microsoft's Culp said.
No incidents of a breach of the hole have been reported as yet.
Netscape Communications, part of America Online Inc. (AOL) in Mountain View, California, can be reached at +1-650-254-1900, or at http://www.netscape.com/.
Microsoft, in Redmond, Washington, can be reached at +1-425-882-8080 or at http://www.microsoft.com/.