Sun downplays Java bug

Researchers at the University of Washington have unearthed another security bug in Sun Microsystems' (SUNW) Java technology.

The researchers called the glitch a "vacuum" security bug because it could potentially allow a malicious hacker to suck data from a user's Web browser. Unlike previous Java bugs, though, this one will not put most users at risk since the latest glitch does not affect two of the most popular Web browsers, Microsoft's Internet Explorer and Netscape Communications' Communicator. The glitch does affect Sun's own HotJava, a less popular browser.

According to Brian Bershad, an associate professor of computer science at the University of Washington, a malicious applet could take advantage of the hole to snatch information from HotJava such as a user's password, browser history, and other private data such as a credit card number, which a user may have submitted to a Web site. The hacker would have to post a rogue applet to a Web site that could swipe data from a user's computer once he or she visits the site.

Bershad has posted detailed information on the bug on the University of Washington Web site. The bug is found only in version 1.1.2 of the Java Development Kit, a software package that so far has not been integrated into the most widely used Web browsers.

Today, Sun confirmed the existence of the bug but tried to downplay its importance, since Communicator and Internet Explorer are not affected. Nevertheless, the company said it will fix the bug in a new version of the JDK, version 1.1.3, due out later this week.

Marianne Mueller, a security staff engineer at Sun, contended that Java is still stronger than other Internet programming technologies such as Microsoft's ActiveX. Unlike Java, ActiveX does not have a software "sandbox" that prevents programs from roaming freely on a user's computer.

"Our security model is very good and our implementation is getting better," Mueller said. "To me, that's different from situation where you don't even have a security model."

But the University of Washington's Bershad said he was concerned that the latest bug did not exist in earlier versions of the JDK. "At the end of the day, what you want on your desktop is an implementation, not a model," he noted. "The thing to think about here is, are implementations improving? It looks like they are, but when a problem shows up that wasn't in early versions you have to ask yourself what's going on."

Sun today posted information on the bug on its own Web site.

This is not the first Java security glitch to be discovered by the University of Washington. Last May, Bershad and two students identified more than a dozen potential Java security risks in browsers from Sun, Microsoft, and Netscape. The bugs were eventually patched by all three vendors.

Hunting for security glitches has become a kind of cottage industry among professors, students, and professional programmers. Some have received consulting contracts from companies, though Bershad and his colleagues say that they have never accepted money for their bug-hunting efforts.

Earlier this month, however, Netscape accused a Danish programmer of trying to blackmail the company by demanding more than the usual $1,000 it pays for discovering glitches in its browser software. The programmer said that he felt the glitch he found warranted more than the standard reward.