Microsoft and Netscape Communications are warring over who is to blame for a browser-related security hole that could make Web sites vulnerable to attack from hackers.

Netscape's Communicator browser includes JavaScript, a scripting language that lets Web authors create interactive Web sites and is supported by script from Microsoft's rival browser Internet Explorer (IE). However, some IE scripts which are only meant to be accessed by the user are exposed to attack in the Communicator browser, a Microsoft official and an independent analyst confirmed today.

Blame Microsoft said it is up to Netscape to protect the privacy of the scripts in Communicator, no matter where they originated from.

Scott Culp, a Microsoft security program manager, said: "The Microsoft Internet Explorer security model allows a Web site to run any script or program that it trusts. The program exposes some fairly powerful functionality that allows a hostile Web site to glean information from a user's machine."

Netscape places the blame for the security hole firmly at Microsoft's door: "The problem is with Microsoft's Internet Explorer," Eric Krock, a Netscape group manager for tools and components, said. "It's only the installation and use of Internet Explorer that leaves the user vulnerable."

Hole One security analyst agreed and said Microsoft should fix the bug itself. David Perry, a spokesman for antivirus software vendor Trend Micro, said: "Microsoft built the architecture that made the hole possible."

Microsoft said it’s Netscape's responsibility to protect the script from attack. Culp said: "The real problem is Netscape Communicator taking a powerful script and putting it out on your computer where any Web site can find it out and run it."

No incidents of a breach of the hole have been reported as yet.