Ben Mesander, a Java developer with Creative Concepts in Boulder, Colorado, said that Internet Explorer 3.x and 4.0 let a Java applet open a network connection to a server other than the one it came from. Such a connection is not allowed under the current Java security model, which leads Mesander to believe that the flaw is in Microsoft's browser and not in Java itself.
After looking at the source code for Mesander's applet, a Sun Microsystems security expert agreed. "Our implementation prevents that from happening, so there must be some customization in IE that bypasses this security check," said Java security architect Li Gong.
Microsoft representatives confirmed the flaw exists in the Java Virtual Machines for Windows 3.1, Windows 95, and NT. IE for Macintosh is not affected.
The danger of such applet mischief could come if an applet downloaded megabytes of files from an FTP site and choked a user's hard drive, or if it downloaded infected files. Once the applet makes the connection, it can download or transfer files to the user's hard drive. The security flaw could also be exploited from behind a company firewall, according to Mesander.
Microsoft says the flaw only pertains to image files. "At this time, our testing shows that the problem is isolated to images only," said Internet Explorer product manager Kevin Unangst. He added that it doesn't cause any data loss and the malicious applet programmer must know the exact name and location of the image to circumvent the Java security model.
Mesander maintains that Microsoft is wrong and that the flaw extends to files other than images. He has posted a demonstration of the flaw on his home page.
Netscape representatives said the flaw does not affect their browsers.
Under the current Java security model, Java applets downloaded by users are only allowed to communicate with the servers that host them, according to JavaSoft, the Sun division in charge of Java development. If an applet attempts a connection to another host, a "security exception" warning occurs and the applet is aborted.
Applets often communicate with, or "make calls," to their original hosts to get images and other elements to create an interface within a user's browser. Mesander's applet made a call back to its own server, but instead of handing back an image file, the server used a CGI script to force the applet to open a connection to another server.
Normally, the Java system should detect and block such a connection. Mesander's applet opens a connection to the Microsoft Web site, downloads a GIF image, and displays it on Mesander's Web page. The visual display is just for demonstration purposes, however, and the user wouldn't necessarily notice that the applet is communicating with a second site.
"It doesn't bring up the page on screen," said Mesander. "There's no visual indication that all this is happening behind the scenes."