Netscape has published a security update to its Netscape 8 browser fixing more than 40 security holes, just hours after the browser’s official launch.
Version 8 of the browser is the first major update to the browser since 2002 and includes a number of new security features designed to protect users from remote attacks and malicious websites. It is based on the increasingly popular open-source Firefox browser, but didn’t include any of the security patches released in Firefox 1.0.4.
“The browser is like a hybrid car that combines the usability of Internet Explorer with the security of Firefox,” Andrew Weinstein, a spokesman for AOL/Netscape, told Reuters. Critics have pointed out however that the initial release combines the security vulnerabilities of both browsers.
The unpatched vulnerabilities – fixed in Firefox back in March — include a bug in the handling of gif images that could allow an attacker to run malicious code on a user’s system. The vulnerability could be exploited by, for example, luring users to a site displaying specially crafted images.
The unpatched holes led to the release of Netscape 8.0.1 a few hours after the release of version 8.0. The update includes the Firefox 1.0.4 security fixes, according to Netscape. Netscape’s advisory is available here.
The browser team either doesn’t patch flaws very promptly, compared with other browser vendors, or doesn’t publicize its patches, according to Thomas Kristensen, CTO of Danish security firm Secunia.
According to Secunia’s vulnerability database, 52 percent of Netscape 7.x vulnerabilities are unpatched, with 14 percent of Netscape 6.x bugs unpatched.
The new Netscape browser is being marketed on the strength of its security features, which include the ability to render sites using either the Gecko engine — which also drives Firefox and other products — or Microsoft’s Internet Explorer engine. Sites include on a “trusted” list provided by Netscape security partners VeriSign, TRUSTe and ParetoLogic are by default rendered using the IE engine, in order to ensure compatibility, while less trusted sites are by default rendered with Gecko.
Netscape 8’s development was largely outsourced to Canadian firm Mercurial Communications after AOL laid off most of the Netscape development team in 2003.