Researchers have created a malicious Java program that takes
advantage of a security hole in Microsoft's Internet Explorer browser to get unlimited control over a Windows-based computer.
Within two days of hearing about the problem, Microsoft wrote and issued a patch to
fix it, a spokeswoman for the company said.
Through the security hole, a malicious Java program called an "attack applet"
could "install a virus, read your email, write a file, set up a monitoring
station, turn on your microphone," said Gary McGraw, a Java security expert and
co-author of the book Securing Java.
"It could do anything. It's way worse" than a bug that just crashes a computer,
Java is a technology created by Sun Microsystems that allows programs to be sent across a network and run on any Java-enabled computer.
The glitch was discovered by Edward Felten of the Secure Internet Programming
team at Princeton University and two of his former students, Dean Wallach at
Rice University and Drew Dean at Xerox PARC, McGraw said. The researchers
reported the hole to Microsoft, and it hasn't been used otherwise maliciously
to McGraw's knowledge.
The glitch only affected Microsoft's Java software on computers running Windows 95, 98, or NT, McGraw and Microsoft said. Netscape Web browsers and Microsoft
Web browsers for Macintosh or other computers aren't affected.
"The flaw itself was pretty easy to find, but writing the exploit was kind of
difficult," said McGraw, who has spoken with the discoverers of the
A hole in the Java sandbox
Java is more than just a programming language. Designed into the technology is the ability to run software sent across computer networks, a concept known as "mobile code." For example, a Java-enabled Web browser can download and run a
Java program called an "applet" from a Web site.
But with the advantages of mobile code comes a threat, too. Sun Microsystems, which
invented the Java technology, tried to head off these problems in advance by
restricting the types of actions that downloaded Java programs. The technique confines the applet to a harmless zone called the "sandbox."
But the new vulnerability evades that sandbox in Internet Explorer. The attack applet takes advantage of a glitch in a piece of Java software called the class
loader, whose job it is to load Java software into the computer's memory,
The problem is made worse by the fact that the attack applet can be delivered
by email, the discoverers said. "The flaw allows the creation of a malicious
applet that is attached to a [Web] page, which could be delivered...by
email via Outlook or other mail programs that use Microsoft's Java virtual
machine," the discovers wrote on their Web site.
That means that a clever programmer could create a malicious program that
propagated itself the same way as the Melissa virus, McGraw said.
Sun's Java is pretty secure technology, though problems crop up from time to time, McGraw said.
"Java is head and shoulders above everything else from the perspective of
mobile code, but that that doesn't mean it's perfect. Unfortunately, you have
to be perfect in order to be secure," he said.
Java is still better than Microsoft's equivalent technology, ActiveX, which
doesn't have a sandbox, McGraw said. ActiveX security relies on the concept of the mobile code coming from a trusted source that has "signed" the program. "The best idea is to turn [ActiveX] off," McGraw said.