ad info



CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH
 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz
  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet
 DISCUSSION:
 message boards
 chat
 feedback
 SITE GUIDES:
 help
 contents
 search
 FASTER ACCESS:
 europe
 japan
 WEB SERVICES:
COMPUTING
From...
Computerworld

Microsoft Java machine could enable 'attack applets'

September 2, 1999
Web posted at: 3:04 p.m. EDT (1904 GMT)

by Kathleen Ohlson graphic

(IDG) -- A security flaw in Microsoft Corp.'s Java Virtual Machine could allow a Java applet to wreak havoc on a system if the user simply views a Web page or e-mail message.

The Princeton Secure Internet Programming team, Drew Dean at Xerox PARC and Dan Wallach at Rice University discovered the flaw in Java Virtual Machines with Internet Explorer 4 and 5 for Windows 95, 98 or NT. The security hole allows hackers to create an attack applet that is attached to an HTML page and delivered to Java Virtual Machines that have Internet Explorer and Outlook built in to them.

Such an attack applet could read files, change content, make network connections, set up a listening station or do other actions when it launched,
MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Computerworld's home page
  Computerworld Year 2000 resource center
  Computerworld's online subscription center
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
 News Radio
 * Computerworld Minute
 * Fusion audio primers
   
said Gary McGraw, vice president of corporate technology at Reliable Software Technologies Corp., a Dulles, Va.-based software consultancy. McGraw has worked with the Princeton team on other security matters.

"It's Melissa on steroids" by taking control of a victim's computer and performing any kind of action, he said.

According to Edward Felton, a professor at Princeton and a member of the programming team, no computer has been hit by the Java flaw yet.

McGraw said the flaw was discovered a couple of weeks ago but wasn't revealed until this week, when Microsoft issued a new version of Java Virtual Machine and a security bulletin on the company's official site (links below). He advised Java Virtual Machine users to download the new version.

"It's pure luck that the major flaws in Java haven't run wild" yet, McGraw said. Attack applets are the worse kind of Java flaw, and like other mobile code, the risks are serious, he said.


RELATED STORIES:
Java Grande pushes Java toward new heights
September 1, 1999
Microsoft gets behind e-books
September 1, 1999
Microsoft takes wraps off Embedded NT
August 11, 1999
RELATED IDG.net STORIES:
Microsoft now manually checking Hotmail servers for flaw
(InfoWorld)
Hotmail hack: This time it's personal
(IDG.net)
Vulnerability in Netscape servers revealed
(InfoWorld)
E-commerce security unsafe?
(Network World Fusion)
Alerts issued for toadie virus
(InfoWorld)
Security firm confirms accusation of AOL messaging bug
(InfoWorld)
Suspect admits creating Melissa virus
(IDG.net)
Year 2000 World
(IDG.net)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
RELATED SITES:
Microsoft Corp. Java Virtual Machine
Microsoft Corp. security bulletin
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help
Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.