Internet

Another Java bug creeps out

Another security flaw, perhaps the most serious yet, has been discovered in Sun Microsystems' Java programming language, but Sun says it is already rushing to the rescue.

Another security flaw, perhaps the most serious to date, has been discovered in Sun Microsystems' Java programming language, but Sun says it is already rushing to the rescue.

The problem was turned up by a Princeton University research team that has uncovered at least two other security problems in the new language. But the researchers say this one is the worst yet because it could let hackers destroy files on someone else's computer by sneaking in through the Internet.

"The flaw would allow a malicious Java applet to execute any machine code that it wants," said Edward Felten, a Princeton assistant professor who helped discover the flaw. Hackers could exploit the security hole, for example, to issue commands to a PC running Netscape Navigator or another Java-compatible browser to read files, delete them, or send them somewhere else over the Net, he said.

Princeton researchers reported their findings to Sun Microsystems and Netscape Communications engineers Friday. Sun officials said a patch is scheduled to be posted tomorrow on its home page. "We have the security engineers working on this, and they will provide a patch and the technical details of how the patch should be applied," said Jeff Baehr, Sun's chief network officer. The patch will also be delivered to Java developers like Netscape.

Felten and his team have now discovered three security problems in Java as part of a project that began six months ago to examine the reliability of online programming languages. Its developers have promoted Java as a secure way to send executable code--programs that perform activities, as opposed to static information like text or graphics--over the Internet. But the technology has sprung security leaks, discovered chiefly by the Princeton researchers, that have raised questions in users' minds not only about Java but Internet technology in general.

Felten is well aware of the implications of his reports. "We found a flaw in the implementation of Java that allows an applet to circumvent the security rules that the Java implementation is supposed to enforce," he said. "What we found raises some questions about the overall structure of software people use on the Internet."

Sun officials say they are not unduly concerned about this latest flaw. "It's always good to find out these things, get them fixed, and move on to the next," Baehr said.

Because of its use in the Navigator browser, found on 80 percent of Internet users' desktops, the Java problems have been widely reported but are only a symptom of broader Internet security issues.

At his keynote address for the Internet & Electronic Commerce Conference in New York, Sun CEO Scott McNealy said, "There are obviously a lot of security issues [with the Internet]. You're going to be reading about them everywhere."

Related stories:
Netscape preps security patch
Is the Net secure?

RealAudio coverage: CNET Radio