Press ReleaseReliable Software Technologies Discovers Security Flaw in Netscape Navigator
Defective Password Cryptography Identified
DULLES, Va., December 15, 1999—Reliable Software Technologies (RST), the leading software assurance consulting vendor, today warned of a serious security flaw in the password encryption of Netscape Navigator's email system. In an eight-hour effort, RST's Software Security Group easily duplicated the algorithm used to scramble an individual's mail password, potentially exposing the password to any attacker. Passwords must be stored in a computer system so that users can be authenticated. Having access to a Netscape mail password could potentially lead to malicious use of an individual's mail and allow further access to protected business-critical information systems where the same password is used. In some versions of Netscape, the scrambled password can be retrieved remotely using Javascript. "Software is entering every aspect of our lives and our businesses. Properly securing software applications from exploitation and illegal use is critical," said Jeffery E. Payne, RST's President and CEO. "Our business is built around certifying software as secure, safe and reliable. We identify flaws like this in the field all the time. Our clients see clear benefit from our software assurance expertise, and avoid having these problems exposed by hackers." Most people's mail password is also their login password for other applications, both at work and at home. A malicious attacker could use the victim's password, gleaned from an insecure home machine, to log in to a more secure corporate machine. The attacker can then take control of the machine, reading sensitive information, using the account to attack more privileged accounts, and setting up a remote monitoring system inside a corporate network. In order for a Netscape mail password to be decoded, a small program must be run on the computer where the password is saved. The lack of any real security in Windows95/98 makes exploiting this particular flaw in Netscape particularly easy. In fact, any program running on the computer has access to the encrypted password. Given the ease of RST's discovery, many corporations where employees use Netscape are putting their highly confidential information at risk. Netscape has been notified of RST's findings, and acknowledged the seriousness of the problem. In addition to notifying Netscape, RST suggested a simple fix to the flaw. "Software is becoming ubiquitous and increasingly complex. The importance of software security is thus growing exponentially," said Dr. Gary McGraw, Chief Technology Officer and head of the Software Security Group at RST. "Businesses think they can solve all of their security problems with firewalls and network perimeter security, but we have found that the biggest risks in today's distributed systems exist in custom software applications. Software security assurance requires real expertise, and must be designed into a system from day one." "This is another illustration of how bad closed, proprietary, cryptography is. What makes this vulnerability particularly nasty is that people tend to use the same passwords over and over again," said Bruce Schneier, CTO of Counterpane Internet Security and author of the best-selling book Applied Cryptography. "If you can attack someone's mail server password, you're likely to also have their login password, PGP password, etc. Software security is important." Tim Hollebeek and John Viega, members of RST's Software Security Group and Research Labs, did not reverse engineer Netscape's code or use automation to discover the flawed algorithm. The exact decryption algorithm used by Netscape and its location in the code is not known. However, experimentation verifies that the algorithm created at RST gives equivalent output in all cases for passwords up to 33 characters in length. About Reliable Software Technologies Headquartered in Dulles, VA, Reliable Software Technologies Corp. (RST) is the leading authority and industry visionary on software assurance for essential software. Founded in 1992 on the simple, compelling premise that software must work, the company offers methodologies and services that help organizations deliver reliable, secure, and safe software—the essence of software assurance. With expertise in test optimization, security and metrics, RST helps corporations, independent software vendors and system integrators optimize time spent in development and test, dramatically accelerating time-to-market. Learn more about RST on the Web at http://www.rstcorp.com/. Netscape Navigator is a trademark or registered trademark of Netscape. Netscape is an America Online Company (AOL). Windows95 and Windows98 are trademarks or registered trademarks of Microsoft Corporation. All product or company names mentioned are used for identification purposes only, and may be trademarks of their respective owners.
Contact: |