Microsoft patches Java bug
The company issues a patch for a flaw that allows unauthorized users to delete files in Internet Explorer and other programs that incorporate Microsoft's version of Java.
Microsoft posted a fix for the problem today. The company said today that the bug affects all versions of IE 4 and 5.
As previously reported, the vulnerability allows a programmer to send a Java program called an applet over the Internet to someone else's computer. Once in, the program can delete a computer's files or make a host of other equally troubling problems. 's="" version="" java="" that="" lets="" escape="" protective="" confines="" "sandbox,"="" method="" uses="" to="" restrict="" programs="" from="" taking="" unauthorized="" actions.="" =""> A malicious Java applet, "if hosted on a Web site, could cause any action to be taken on the computer of a visiting user that the user himself could take," Microsoft said about the vulnerability today. "This could include, for example, creating, deleting or modifying files; sending data to or receiving data from a Web site; or reformatting the hard drive," Microsoft said.
Java was created by Sun Microsystems in 1995 and later licensed by Microsoft. The problem affects only Microsoft's version of Java. Disagreements in how Microsoft used Java resulted in an ongoing lawsuit brought by Sun.
Karsten Sohr, a graduate student at the University of Marburg in Germany, discovered the security hole.
The hole takes advantage of a problem that allows a mistrusted Java program to masquerade as a trusted one and therefore have permission to perform drastic actions. Researchers at Princeton University's Secure Internet Programming team created a demonstration "attack applet" that exploits the hole, slipping in under Internet Explorer's radar and deleting files.
Sun touts Java as highly secure, a boast many experts back up. But because Java programs can be sent across the Internet to Web browsers, a breach in the safety of Java is magnified. Java programs are often used to add elaborate features to Web pages.
Sohr has found other Java security problems before, including one found in March that afflicted Sun's version of Java software but not Microsoft's.
The new security hole is related to the last one Sohr found. Both take advantage of a flaw in a Java software component called the "bytecode verifier," which is supposed to screen incoming Java programs to make sure they pass muster. The new vulnerability also is similar to one found in August that allows a malicious program unlimited access to a computer.
Microsoft said the threat of the new problem is low because it's hard to exploit it. So far the company knows of no users whom the problem has affected, the company said.