Another bug burrows out of Java

A British researcher has discovered yet another in a procession of Java bugs.

CNET News staff
2 min read
A British researcher has discovered yet another in a procession of Java bugs.

This one could allow hackers to sneak a peek at users' files stored on their hard disk, but Sun Microsystems officials say they are already on the move to exterminate the problem by issuing software fixes to Java licensees, including Netscape Communications and Microsoft. Netscape says it plans to integrate the fix within the next few weeks.

The latest bug involves the Java Virtual Machine, the client software in Web browsers that interprets Java code. The bug could allow sophisticated hackers to dismantle Java's security manager, which is what prevents applets from reading or writing to hard disks. Normally, applets are "sandboxed" by the security manager so that they cannot, for example, retrieve information about a user's computer. But if a hacker manages to bypass the security manager, then everything stored on the hard drive is easy pickings.

JavaSoft officials have tried to minimize the threat caused by the bug, saying only that the most technically adept programmers will be able to exploit it. No malicious use of the bug yet been reported.

"These are fairly complex problems that involved very smart computer science researchers who need to stare at the [Java] code," said Marianne Mueller, a security expert at JavaSoft. "These are not trivial problems [to discover]. That doesn't mitigate the importance of them. But it does put them into context."

Still, Sun has been bruised by a series of Java bug discoveries this year, including repeated discoveries by Edward Felten, an associate professor at Princeton University. As Java bug discoveries become almost routine, Sun's JavaSoft division has taken to posting a comprehensive list of security problems on its Web site.

The latest bug was discovered by David Hopwood, an Oxford University researcher, who notified JavaSoft of the problem June 2.

Related stories:
"Black widow" scare on Web
Symantec ready for Java virus to hit
Another Java bug creeps out
Netscape preps security patch
Is the Net secure?