The flaws were found by a team of researchers from the University of Washington. This same team also has discovered glitches--24 in all, it claims--in Sun Microsystems' Java virtual machine, the engine that lets computers read and execute Java applets. Several companies including Microsoft have written their own virtual machines, but most browser and operating system companies rely on the version licensed directly from Sun.
Microsoft has posted an entirely new version of its virtual machine for Internet Explorer 3.x and 4.0. The software is available on the company's Web site.
Sun said late last week that it would immediately ship a patch to all licensees of its Java technology, adding that it would make the fix more widely available the week of May 26 in a new version of its Java development kit, 1.1.2.
Sun had said last week that the security holes could allow a hacker to shut down a Java program. But today an associate professor of computer science at the University of Washington, Brian Bershad, said the flaws in both Sun and Microsoft's virtual machines are more serious.
"The best-case scenario results in a crash. Worst-case results in some resources corruption," such as a file being deleted, Bershad said today.
The University of Washington researchers discovered the problems while developing their own version of the virtual machine byte code verifier, a piece of software that checks Java code as it is downloaded from the Net to make sure it's safe. Both Microsoft and Sun moved to fix the glitches as soon as Bershad and the two other members of his team--Sean McDirmid and Emin Gün Sirer--notified them of the problems.
The researchers have posted a Web site that documents the flaws in the Microsoft and Sun virtual machines.