A security flaw in Microsoft's Java Virtual Machine could allow a Java applet to wreak havoc on a system if the user simply views a Web page or e-mail message.
The Princeton Secure Internet Programming team, Drew Dean at Xerox PARC and Dan Wallach at Rice University discovered the flaw in Java Virtual Machines with Internet Explorer 4 and 5 for Windows 95, 98 or NT. The security hole allows hackers to create an attack applet that is attached to an HTML page and delivered to Java Virtual Machines that have Internet Explorer and Outlook built in to them.
Such an attack applet could read files, change content, make network connections, set up a listening station or do other actions when it launched, said Gary McGraw, vice president of corporate technology at Reliable Software Technologies, a Virginia-based software consultancy. McGraw has worked with the Princeton team on other security matters.
"It's Melissa on steroids" by taking control of a victim's computer and performing any kind of action, he said.
According to Edward Felton, a professor at Princeton and a member of the programming team, no computer has been hit by the Java flaw yet.
McGraw said the flaw was discovered a couple of weeks ago but wasn't revealed until this week, when Microsoft issued a new version of Java Virtual Machine at http://www.microsoft.com/java/vm/dl_vm32.htm and a security bulletin. He advised Java Virtual Machine users to download the new version.
"It's pure luck that the major flaws in Java haven't run wild" yet, McGraw said. Attack applets are the worse kind of Java flaw, and like other mobile code, the risks are serious, he said.