Just a few hours after releasing its new browser, Netscape 8.0, to analysts’ praise, America Online has issued a critical update that plugs 44 security holes.
AOL touted Netscape 8.0’s security features, so the release of the patch could be considered a blow. The problem arose because, while the browser emulates Mozilla’s open-source Firefox and Microsoft’s Internet Explorer, it did not incorporate any of the security patches in Firefox 1.0.4, which was released in March to fix some security flaws.
No Announcement Today
Version 8.0.1 has been released for Windows users. It can be found on the Netscape site, but AOL did not issue a press release on the patches.
Ed Moyle, president of SecurityCurve, told TechNewsWorld he could see how the mistake happened. “It’s understandable because they probably have a bunch of custom development they did for Netscape. They probably took a snapshot of Firefox and since that time Firefox has evolved and fixed security holes. They wouldn’t necessarily have the fixes and updates.”
One of the flaws, in the handling of GIF images, could allow an attack to remotely control an infected computer.
“It shows a good commitment on the part of AOL that they were able to turn the patches around within a day,” Moyle said “but this ought to put them on notice that in the future if people are coming to them for a security product that they would want to make sure the patches are in their core product.”
Proceed with Caution
Moyle also pointed out that AOL might have doubled its trouble when it comes to keeping up to date on patches.
“Now, there’s two different things that you have to fix if there are security issues. If there’s a bug in Firefox, a certain number of your users will be affected, and if there’s a bug in IE, a different number of your users will be affected,” he said.
He also said he was concerned that Netscape patches will always be released behind either Firefox or Microsoft patches, depending on the communication between the companies.
“The Netscape people are providing more security, but they have to make sure that any released patches for the underlying technology don’t affect their software, and that adds to the time it takes to release patches,” Moyle said. “They need to be on the ball in watching for these patches.”