Java bug demo has its own flaw

The Java developer whose Web site demonstrates a flaw in Internet Explorer disables his demo because the applet he has written is itself flawed.

2 min read
First and foremost, it's a cautionary tale. The Java developer whose Web site demonstrates a flaw in Microsoft's (MSFT) Internet Explorer had to disable his demo because the applet he wrote was itself flawed.

The applet showed that the security flaw affected not only Internet Explorer but also Netscape's (NSCP) Navigator browsers when Navigator was IE flaw permits Java mischief related story connected to a proxy server. The IE results were correct, and Microsoft managers acknowledged the bug in their browsers on Friday.

But the flawed Navigator/proxy server scenario turned out to be a false alarm, and Ben Mesander, the programmer who posted his warnings about Netscape on his Web site Friday night, had to rescind them this afternoon.

"The above applet has a bug and is not specific enough in testing whether or not your browser is vulnerable," Mesander wrote today on his site. "Sometimes, as was the case with Netscape Navigator, it reported the bug was present when it was not! Rather than give out incorrect information, I will post a new applet to test with later."

The fact that Mesander's applet correctly identified the IE flaw but gave what Netscape representatives today called a "false positive" for Navigator says more about the profusion of platforms and test cases than the quality of one browser over the other.

The story serves as a reminder that, just as the rush to disseminate browsers in a rapidly evolving computing environment creates a "publish-and-patch" mentality, the yardsticks used to measure the browsers are not immune to similar flaws. Companies like Microsoft and Netscape have effectively turned end users into testers by making beta software easily available and, in Netscape's case, setting up a "bugs bounty" reward program.

Meanwhile, Microsoft has posted information about the IE Java hole on its security site. IE 4.0 will be fixed when the final version is released in the next couple of months. There is no date set for an I.E 3.x patch. In the meantime, Microsoft suggests that concerned IE users should disable Java.