Netscape patches new browser

TechWorld.com - Netscape has released a security update to its Netscape 8.0 browser, fixing more than 40 security holes just hours after the browser's official launch (see story).
Version 8 of the browser is the first major update to it since 2002 and includes a number of new security features designed to protect users from remote attacks and malicious Web sites. It is based on the increasingly popular open-source Firefox browser, but it didn't include any of the security patches in the recently released Firefox 1.0.4.
"The browser is like a hybrid car that combines the usability of Internet Explorer with the security of Firefox," Andrew Weinstein, a spokesman for AOL/Netscape, told Reuters. Critics have pointed out that the initial release, however, combines the security flaws of both browsers.
The unpatched vulnerabilities -- which were fixed in Firefox in March -- include a bug in the handling of GIF images that could allow an attacker to run malicious code on a user's system. The vulnerability could be exploited by, for example, luring users to a site displaying specially crafted images.
The unpatched holes led to the release of Netscape 8.0.1 a few hours after the release of Version 8.0. The update includes the Firefox 1.0.4 security fixes, according to Netscape. The new version has been released only for users of Microsoft's Windows operating system.
The Netscape browser team either doesn't patch flaws as promptly as other browser vendors do, or it doesn't publicize its patches, according to Thomas Kristensen, chief technology officer at Danish security firm Secunia. According to Secunia's vulnerability database, 52% of Netscape 7.x vulnerabilities are unpatched, and 14% of Netscape 6.x bugs are unpatched.
The new Netscape browser is being marketed on the strength of its security features, which include the ability to render sites using either the Gecko engine -- which also drives Firefox and other products -- or Microsoft's Internet Explorer engine. Sites included on a "trusted" list provided by Netscape security partners VeriSign, Truste and ParetoLogic are by default rendered using the IE engine to ensure compatibility. Less trusted sites are by default rendered with Gecko.
New features include Site Controls, which is designed to allow security settings to be controlled at a site-by-site level; the MultiBar, which includes personalized content; an integrated AOL Instant Messenger and ICQ client; a security setting that turns off features such as JavaScript and cookies for untrusted sites; and a warning system designed to flag phishing sites.
Netscape 8.0's development was largely outsourced to Canadian firm Mercurial Communications Inc. becauseAOL had laid off most of the Netscape development team in 2003.

Reprinted with permission from

For more enterprise technology news from the U.K., please visit TechWorld.com. Copyright 2006 IDG, all rights reserved.