Microsoft Java machine could enable 'attack applets'
September 2, 1999
by Kathleen Ohlson
(IDG) -- A security flaw in Microsoft Corp.'s Java Virtual Machine could allow a Java applet to wreak havoc on a system if the user simply views a Web page or e-mail message.
The Princeton Secure Internet Programming team, Drew Dean at Xerox PARC and Dan Wallach at Rice University discovered the flaw in Java Virtual Machines with Internet Explorer 4 and 5 for Windows 95, 98 or NT. The security hole allows hackers to create an attack applet that is attached to an HTML page and delivered to Java Virtual Machines that have Internet Explorer and Outlook built in to them.
Such an attack applet could read files, change content, make network connections, set up a listening station or do other actions when it launched,
"It's Melissa on steroids" by taking control of a victim's computer and performing any kind of action, he said.
According to Edward Felton, a professor at Princeton and a member of the programming team, no computer has been hit by the Java flaw yet.
McGraw said the flaw was discovered a couple of weeks ago but wasn't revealed until this week, when Microsoft issued a new version of Java Virtual Machine and a security bulletin on the company's official site (links below). He advised Java Virtual Machine users to download the new version.
"It's pure luck that the major flaws in Java haven't run wild" yet, McGraw said. Attack applets are the worse kind of Java flaw, and like other mobile code, the risks are serious, he said.
Java Grande pushes Java toward new heights
RELATED IDG.net STORIES:
Microsoft now manually checking Hotmail servers for flaw
Microsoft Corp. Java Virtual Machine
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.