Security - Netscape 8.0 Security
Security - Netscape 8.0 Security
In Focus: Netscape 8.0 Security
Netscape Communications' Netscape Browser 8.0 was released last week. I
downloaded a copy and found that it has some impressive features, two
of which are great innovations that I think are worth a close look.
First, Netscape 8.0 can use both the Mozilla Firefox and Microsoft
Internet Explorer (IE) rendering engines, which means that if you use
it, you no longer have to open two browsers to get maximum
functionality while surfing the Web. The IE engine is enabled by
default for "trusted sites," and you can change that setting so that
the Firefox engine is used by default instead. A menu option (Tools,
Rendering Engine) lets you switch back and forth between the engines on
the fly.
Second, configuring Netscape 8.0 is fairly simple, especially if you're
familiar with Firefox. The Options dialog boxes are nearly identical in
both browsers. However, one Netscape 8.0 feature that you won't find in
Firefox is the Site Controls, which are similar to IE's security zones.
With Site Controls, you can define master settings that determine how
the browser will behave for each site you visit. There are four master
settings: "I Trust This Site," "I'm Not Sure," "I Don't Trust This
Site," and "Local Files." These are equivalent to IE's Trusted Sites,
Internet, Restricted Sites, and Local Intranet zones, respectively. For
each zone in Netscape 8.0, you can enable or disable various Web
features, such as Java, JavaScript, cookies, pop-up windows, and
ActiveX controls. You read that last item right--Netscape 8.0 supports
ActiveX!
You can customize the master settings on a per-site basis for any sites
you've added to any of the zones. Adding sites to a zone is simple.
After you have a site open in the browser, right-click its tab and
select Site Controls. Doing so presents a dialog box in which you can
specify the zone the site should belong to and customize individual
settings. You can also define a default rendering engine on a per-zone
or per-site basis.
A third new security feature (also part of Site Controls) is Trust
Ratings. If you enable this feature, you're relying on a third party to
determine whether you should trust a Web site's content and whether
it's OK to enter sensitive information at that Web site. The third
party maintains catalogs of trusted and untrusted sites. The catalogs
are automatically downloaded to the browser based on a schedule you
define. For example, you can refresh the catalogs hourly, daily, or
weekly. What Trust Ratings lacks is any information about who creates
the catalogs, what classification criteria is used, and a way to view
the catalogs. The feature requires that you trust it blindly to decide
on your behalf. Thus, I think this feature is less useful than it could
be.
Netscape 8.0 has other security-related features, some of which are
similar to ones in Firefox. For example, Datacard Manager helps store
information you might enter in Web forms. Passcard Manager helps you
store frequently used passwords. Netscape 8.0 also supports themes and
extensions. All those features are found in Firefox. Netscape 8.0 also
has a handy toolbar button that erases the browser history and a Web
mail manager that lets you configure account information for commonly
used services such as MSN Hotmail, Yahoo!, Google's Gmail, America
Online (AOL), and others. Those features don't come as standard
components of Firefox, but extensions that offer such functionality are
probably available.
Another feature not found in Firefox is statistics gathering. Netscape
8.0 can gather numbers about customers' browser feature usage, send
them back to developers (while preserving customers' anonymity, of
course), and use these statistics to improve future versions of the
browser. As you would expect, when you install Netscape 8.0, you can
import settings (such as preferences, cookies, browsing history) from
other installed browsers, including Firefox, IE, and Opera. Although
the installation routine did import all my settings, it didn't import
all my search engine plug-ins, so that's one area that needs some
improvement.
One thing I'm not clear about yet is how Netscape 8.0 actually uses the
IE rendering engine and ActiveX controls. Does Netscape 8.0 respect the
security zone settings as defined in IE? When I configure Netscape 8.0
to use the IE rendering engine, does it somehow map its own zones to IE
zones to use the IE zone settings in the registry? Does it respect my
IE zone settings for ActiveX behavior, such as disabling the download
of unsigned controls? I did some basic testing to try to determine the
functionality, and Netscape 8.0 didn't appear to use IE zone settings,
but I could be wrong. If you have any information to help explain what
goes on under the hood, please send me an email message with the
details.
Overall, Netscape 8.0 seems like an excellent solution, particularly
because of the new Site Controls and its use of both the IE and Firefox
rendering engines. You can download a copy at the URL below and take it
for a test drive. Note that Netscape 8.0 is based on Firefox 1.0.3
code. As such it inherited the same security problems that were present
in that Firefox version. Netscape 8.0.1 has been released to correct
those problems.
2. Security News and Features
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
Windows TCP/IP Woes
The Land attack method has been known to the public at least since
November 1997. When a Windows system receives a SYN packet that
contains the same source and destination address, the packet could
cause a minor Denial of Service (DoS). Microsoft issued a patch to fix
the problem in IPv4, but the company's IPv6 implementation is still
vulnerable.
NT OBJECTives Offers Two Free Security Tools
NT OBJECTives announced that it has made its ntoinsight 2.0 Web site
analysis tool and ntoweb vulnerability assessment tool available as
freeware. Ntoinsight catalogs a Web site's content, architecture, and
dependencies, and can identify areas that might be used as attack
points by intruders. Ntoweb is a plug-in that lets ntoinsight use the
Nikto vulnerability database.
Resources and Events
Safeguard Your Exchange Servers--Plus Receive a Free eBook
Managing storage growth, providing application resiliency, and
handling small errors and problems before they grow are all important
aspects of boosting your Exchange Server uptime. In this free Web
seminar, discover how storage and application management techniques for
Exchange can be used to improve the resiliency and performance of your
Exchange infrastructure. Register now and get a free eBook!
Streamline Desktop Deployments
Managing desktop software configurations doesn't have to be a manual
process, resulting in unplanned costs, deployment delays, and client
confusion. In this free Web seminar, find out how to manage the
software package preparation process and increase your desktop
reliability, user satisfaction, and IT cost effectiveness. You'll learn
how to simplify the deployment and configuration process, starting with
the new-application request, review, and approval process and
progressing through software packaging and deployment.
Get Ready for SQL Server 2005 Roadshow in Europe
Get the facts about migrating to SQL Server 2005. SQL Server experts
will present real-world information about administration, development,
and business intelligence to help you implement a best-practices
migration to SQL Server 2005 and improve your database computing
environment. Receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine.
Get on the 64-Bit Bandwagon
In this free, on-demand Web seminar, you'll learn the most important
factors and best uses of 64-bit technology. Join industry expert Mike
Otey as he compares 32-bit and 64-bit technology and reveals the best
platform for high performance. You'll also learn how to successfully
migrate and manage the two.
Hot Release
Saving Time and Money with Network Faxing
Despite the rise of e-mail and the Internet, fax continues to be an
important means of business communication. Organizations can save
significantly on long distance costs, increase worker productivity, and
streamline their business processes simply by connecting a fax server
to their local area network. Get this white paper now!
3. Security Toolkit
Security Matters Blog: Hack IIS 6.0
Feel like testing your hacking skills against IIS? If you can break
into the test server, you'll win an Xbox. Head over to
and read the rules of engagement.
Security Forum Featured Thread: Accessing the Security Log on a DC
A forum participant writes that he has a third-party audit tool
running in Active Directory on Windows Server 2003. The configuring
administrators of the audit tool aren't domain administrators, but they
must have access to the Security log of the DCs to get the needed
events. Is it possible to give access to the Security log on a DC
without a membership in Domain Admins?
Announcements
(from Windows IT Pro and its partners)
Why Do You Need the Windows IT Pro Master CD?
There are three good reasons to order our latest Windows IT Pro
Master CD. One, because it's a lightning-fast, portable tool that lets
you search for solutions by topic, author, or issue. Two, because it
includes our Top 100 Windows IT Pro Tips. Three, because you'll also
receive exclusive, subscriber-only access to our entire online article
database. Click here to discover even more reasons:
Nominate Yourself or a Friend for the MCP Hall of Fame
Are you a top-notch MCP who deserves to be a part of the first-ever
MCP Hall of Fame? Get the fame you deserve by nominating yourself or a
peer to become a part of this influential community of certified
professionals. You could win a VIP trip to Microsoft and other valuable
prizes. Enter now--it's easy:
4. New and Improved
Control Your Network Traffic
Lightspeed Systems offers Total Traffic Control (TTC) 5.03 for
schools, government departments, and businesses. TTC 5.03 performs
content filtering, spam blocking, bandwidth management, and reporting.
TTC 5.03 incorporates a Security Agent, which augments virus signature
matching with behavior analysis to identify and prevent malicious
threats. The Security Agent enables administrators to quickly classify
any undesirable application as a known malicious program and distribute
that information to systems on the network. TTC 5.03 also has new spam-
blocking techniques and can block Web searches on words that you
specify.
