Computerworld

Experts warn of attack applet hole in Microsoft JVM

A German researcher has discovered what some experts call a 'serious security flaw' in recent versions of Microsoft's Java Virtual Machine.

A German researcher has discovered what some experts call a "serious security flaw" in Microsoft's Java Virtual Machine (JVM). The problem appears to affect recent versions of JVM for Windows, which is used in software such as Internet Explorer, Microsoft Outlook and the Eudora e-mail program.

Karsten Sohr at the University of Marburg reported finding the bug in JVM's bytecode verifier. The glitch allows a code sequence to be put together that improperly puts the values from one Java type into the values of another Java type. Bytecode is the name for compiled Java programs. The JVM verifier is supposed to catch such a transfer of values.

An attack applet can exploit the glitch and override JVM security, doing things such as reading private data or modifying and deleting files on a victim's machine, Reliable Software Technologies (RST) in Dulles, Virginia, a software-assurance consulting firm, said.

Researchers at RST and Princeton University's Safe Internet Programming team have verified Sohr's findings, according to a statement issued by RST.

"Attack applets are the worst category of Java-borne attacks since they carry out system modification," said Gary McGraw, vice president of corporate technology at RST and author of the book Securing Java. Microsoft has been notified of the problem.

"Microsoft is working on making a fix available as soon as possible," a company spokesman said. The security hole is difficult to discover and exploit, and Microsoft is not aware of any users being affected by the problem, the spokesman added. Still, the company takes such security matters seriously, she said. Information on a fix should be available on Microsoft's Java Web site.