Netscape Navigator users were able to chuckle as they read about the large number of security problems that have recently surfaced with Microsoft products. However, now it’s their turn to worry about a security hole.

BugNet has verified, using KeyLabs, reports of a potentially serious security hole for people who use Netscape Navigator. The problem exists in Netscape’s Java Virtual Machine, which runs Java applets found on web pages, and was reported by security researcher Dan Brumleve. The exploit could be used to reverse normal browsing – files could be sent from your computer to the web site.

A web site operator could take advantage of this vulnerability to run code on a web surfer’s computer. This code would act as a file server, and could be used to offer up files from the surfer’s hard drive back to the web site. The code itself could be activated without the knowledge of the web browser. BugNet’s tests show that versions of Netscape running on Windows 95, Windows 98, and Windows 2000 are affected. The vulnerability can also be extended so that it can be used against people running Netscape on Macintosh and UNIX computers. BugNet has also gotten the exploit to work on Netscape for Linux, but only if the Linux user is surfing the web while logged in as “root”. Linux security gurus advise against that particular practice.

Normally, Java programs downloaded from the Internet run on your local computer in a “sandbox”. The program’s actions typically would not be allowed to extend beyond this sandbox, which makes the files on your hard drive off limits. Brumleve’s exploit manages to circumvent this restriction, which can give a hacker free reign on your system. Since many people have sensitive information stored in fairly standard locations on their hard drives (such as Quicken, TurboTax, or Microsoft Money files), the hacker could have many tempting targets. Even after you left the offending web page, the exploit would continue to run, staying active until Netscape Navigator is closed.

The Netscape Security Site, listed below, has not yet posted any fix. As a workaround, any Netscape user can disable Java on their machine. Do this by clicking Edit, Preferences. Click Advanced, and then uncheck Enable Java. Doing this may disable some features on web sites you visit, but will keep anyone from exploiting this particular security hole.