The bug essentially flies under the radar of the security measures built into Java for detecting bugs. Java programs need a device called a Java virtual machine (JVM) that acts as an intermediate between the Java program and a PC. For most people, the JVM comes as part of their Web browser. While the JVM is trained to weed out malicious infiltrators, this bug had not yet made the "Most Wanted" list.
Java creator Sun Microsystems, however, says it's already fixed the bug, that the security hole is difficult to exploit, and Java security bugs are rare and getting rarer. "The impact should be fairly low," said Li Gong, chief Java security architect at Sun.
If someone were able to exploit the hole, the attack could come through a Java-enabled Web browser. Netscape's browser is affected, Sun said.
Java is a technology that, at least theoretically, allows software developers to write a program once and have it run on many computers regardless of the underlying technology such as what operating system or chip the computer is using.
However, along with this "write once, run anywhere" technology comes the potential for bugs and security holes that affect a variety of systems. That raises the possibility of viruses or other malicious programs that inherit the universality of Java.
The bug, reported in early March, so far has been only an academic issue since taking advantage of it is difficult, Gong said. "The impact should be fairly low. Even if you know how to exploit it, it's hard to come up with an attack applet," he said.
This bug was discovered by University of Marburg graduate student Karsten Sohr and brought to the attention of Sun by the Princeton University Secure Internet Programming Lab, Gong said.
It takes advantage of a problem in Sun's "verifier," Java software that makes sure that the Java programming instructions aren't violating security rules, Gong said. However, Sun simply missed a particularly unusual case, he said.
"The defense was not perfect," Gong said. "The [verifier] is fairly complicated, and there was a bug."
If someone wrote a Java program to exploit the bug, that program could gain access to parts of the computer it's not supposed to get, potentially causing damage, Gong said.
The problem is relatively easy to fix with the addition of a line of code, and Sun has been distributing that fix.
Earlier in Java's history, security bugs were more common, he said. In 1996, they came in about once a month. Things got better in 1997, and there were no reports in 1998. This is the first report in 1999.
The bug affects Java versions 1.1 and 1.2--the latter now called Java 2.