A German researcher has discovered what some experts call a "serious security flaw" in Microsoft's Java Virtual Machine (JVM).
The problem appears to affect recent versions of JVMfor Windows, which is used in software such as Internet Explorer, Microsoft Outlook and the Eudora e-mail program.
Karsten Sohr at the University of Marburg reported finding the bug in JVM'sbytecode verifier. The glitch allows a code sequence to be put together that improperly puts the values from one Java type into the values of another Java type. Bytecode is the name for compiled Java programs. The JVMverifier is supposed to catch such a transfer of values.
An attack applet can exploit the glitch and override JVMsecurity, doing things such as reading private data or modifying and deleting files on a victim's machine, Reliable Software Technologies Corp. (RST) in Dulles, Va., a software-assurance consulting firm, said yesterday.
Researchers at RST and Princeton University's Safe Internet Programming team have verified Sohr's findings, according to a statement issued by RST.
"Attack applets are the worst category of Java-borne attacks since they carry out system modification,"said Gary McGraw, vice president of corporate technology at RST and author of the book Securing Java. Microsoft has been notified of the problem.
"Microsoft is working on making a fix available as soon as possible," a company spokesman said today. The security hole is difficult to discover and exploit, and Microsoft is not aware of any users being affected by the problem, the spokesman added. Still, the company takes such security matters seriously, she said. Information on a fix should be available on Microsoft's Java Web site at http://www.microsoft.com/java