SafeWeb Addresses Vulnerability in Consumer Privacy Technology

 Date: Wed, 13 Feb 2002 18:46:35 -0800 From: Sandra Song  To: bugtraq@securityfocus.com Subject: SafeWeb Addresses Vulnerability in Consumer Privacy Technology  FOR IMMEDIATE RELEASE  SAFEWEB ADDRESSES VULNERABILITY IN CONSUMER PRIVACY TECHNOLOGY  Emeryville, CA -- February 13, 2002 -- SafeWeb, a leading provider of Web-based security and privacy technologies, today announced that it will address JavaScript security vulnerabilities in its licensed consumer privacy technology that were highlighted in a recent a study. The company closed down the free privacy service in November 2001 for financial reasons.  ?We have a responsibility to promptly resolve bugs in our technology,? said Jon Chun, CEO and president of SafeWeb. ?Security is a process, and we welcome this kind of in-depth critical review as an opportunity to improve and lead in this area. We appreciate that David Martin of Boston University and Andrew Schulman of the Privacy Foundation identified these issues and alerted us to the problem.?  Though the company has not received any customer complaints on this problem, and though it suspended the consumer privacy service last year, it has decided to issue a patch as a precautionary measure.  SafeWeb has advised PrivaSec and other licensees of its consumer privacy technology to the vulnerabilities raised in the study, and plans to deliver the patch to PrivaSec and all other licensees within several days.  The vulnerabilities identified, which require the use of Web browser scripting languages, would allow a malicious website operator to identify attributes of SafeWeb users that were not intended to be disclosed. SafeWeb users accessing reputable and trusted websites would not be affected.  SafeWeb is creating a software upgrade that gives users the option to disable JavaScript when surfing the Web anonymously. This option will eliminate the vulnerabilities described in the study.  By providing this as an option, SafeWeb will allow users to choose between greater functionality and this new level of security.  The JavaScript vulnerabilities raised in the paper do not affect SafeWeb's enterprise remote access product, the Secure Extranet Appliance (SEA). In a secure remote access deployment, users must authenticate themselves to trusted systems in order to access resources within the company's intranet, and therefore user anonymity is not an issue.  About SafeWeb, Inc.  Based in Emeryville, California, SafeWeb was founded in April 2000 to create innovative security and privacy technologies that are effective, economical and simple. Our mission with the Secure Extranet Appliance is to deliver technology that drastically reduces the cost and complexity traditionally involved in securing corporate network resources.  Since its inception, SafeWeb has built the world's largest online privacy network and has established strategic partnerships to deliver customized versions of its proven technology to high-profile U.S. intelligence and communications agencies. SafeWeb has received numerous awards for its technology, and has been recognized as a privacy and security expert before the U.S. Congress and at industry conferences such as DEF CON. For more information, please visit the company?s Website at https://us.norton.com/.  # # #  For more information contact:  Sandra Song Communications Director SafeWeb, Inc. (510) 601-8855 x108 sandra@safeweb.com