The bug uses Java to take advantage of a long-standing problem with Microsoft's Windows 95 and Windows 98 operating systems, according to Joseph Ashwood, a computer research undergraduate student at the University of Southern California. Specifically, it creates more and more computing processes, called "threads," until the system runs out of resources.
"It generates so many threads that the system loses all control over itself," Ashwood said.
Such a malicious Java program could be embedded on a Web page, according to Ashwood, who said he came across the bug when he was looking at the Java source code for a computer security class.
The Java thread-overrun program is interesting in light of the fact that the malicious program crashes Windows 95 and 98 computers without ever leaving the Java "sandbox" that's designed to curtail Java programs so they can't wreak havoc on an operating system. More robust operating systems such as Windows NT or Sun's Solaris aren't troubled by the bug.
A Microsoft spokesperson said the company is considering addressing the threading weakness, but that the problem is deeply buried in the operating system architecture and that modifying the relevant code would require "a major overhaul." Indeed, one of the reasons for developing Windows NT was because of the need for a more robust threading architecture, the spokesperson said.
Microsoft also encouraged users to be careful which Web sites they visit and what software they download.
The malicious program has crashed Windows 95 and Windows 98 systems with both Microsoft's Internet Explorer and Netscape Navigator Web browsers, Ashwood said. In some circumstances, Navigator crashes but the system doesn't, he said.
Ashwood discovered the bug looking at a previous versions of Java, but he's found that it operates with the most recent version as well.
In his tests, Ashwood has found that Windows NT performance degrades and the browser stops responding. On Unix systems, the browser hangs up, he said.
From a programming point of view, it's difficult to fix a problem like this one, which takes advantage of the overuse of an ordinary activity such as generating a new thread, said Roland Jones, senior product manager for Java security.
"What's doing this is a normal operation taken to excess. It's really hard to tell what's normal and what's excessive," Jones said.
Creating threads is as basic to computers as eating is to people, but in this case, "The waitress can't tell that this guy has ordered 47 steaks already."
Ashwood contended "it should be rather simple for either Microsoft or Sun to fix it" by counting and limiting the threads. He added that it would be most logical for Microsoft to fix it, because the thread issue is a vulnerability that's not limited just to Java.
The Java-based thread-overrun program runs inside the Java virtual machine, the software component that lets programs written in Java execute on all sorts of different chips.
The thread overrun issue "could be addressed in the virtual machine. We have some thoughts about what we can do. But we haven't had that much trouble with it," Jones said. "It's one of the things that's been on our list to look at."
"The better operating system should be able to handle this," he added .
Ashwood said he notified Sun about the exploit in September, October, and November, and was dissatisfied with the company's responses. Last week, he described the bug on the Alienware Web site.