New Java security bug found

Sun reveals that researchers at the University of Washington have found a bug that could allow hackers to crash Java programs.

2 min read
Researchers at the University of Washington have found a bug in Sun Microsystems' Java technology that could allow hackers to crash Java programs, Sun said today.

Deliberately crashing a program is commonly known as a "denial of service attack" and can be a vexing experience for users, though the assaults do not necessarily result in loss or theft of data.

Earlier this week, Microsoft had to release a patch for its Windows 95 and NT operating systems that protects users from such attacks. A number of Windows users complained of being knocked off Internet chat groups after being targeted by hackers wielding a program known as "WinNuke."

The latest Java bug illustrates that Sun's technology isn't immune to security vulnerabilities, though experts still regard it as safer than other technologies, such as Microsoft's ActiveX.

Today, Sun tried to put its own spin on the Java bug, telling the news media that a University of Washington team led by Brian Bershad, an associate professor of computer science and engineering at the school, would issue a press release Monday about the bug. Sun said that bug was in the "byte code verifier of the Java virtual machine (JVM), a sort of filter that assembles Java code into usable applications as it is downloaded from the Internet."

According to Sun, the verifier has a bug that could allow a hacker to send malicious code from a Web site to a user that would crash the JVM, causing a Java program to shut down unexpectedly.

The University of Washington researchers could not be reached for comment.

Sun said that it has been briefed by the University of Washington team and that it has created a fix for the bug that will ship to Java licensees immediately. Sun will also ship the fix with a new version of the Java Development Kit, version 1.1.2, due the week of May 26.

Sun said it will post more information on the new bug on its security Web site tonight.