Karsten Sohr, a graduate student at the University of Marburg in Germany, discovered the security hole, which takes advantage of a problem that allows an untrusted Java program to masquerade as a trusted one. Researchers at Princeton University's Secure Internet Programming team created a demonstration "attack applet" that exploits the hole, slipping in under the radar of the Internet Explorer Web browser and deleting files.
Java is a technology created by Sun Microsystems. It allows programs to be sent across a network and run on any Java-enabled computer. Microsoft licensed Java from Sun in 1995 and subsequently added Windows-specific extensions to Java technology included in its Web browser and other software. Sun filed suit in October 1997 accusing Microsoft of "sabotaging" Java by adding those extensions in violation of Microsoft's license. The trial is ongoing.
An applet is a program that is downloaded over the Internet by software such as a Java-enabled Web browser. By confining applets' operations to a secure zone in the computer called a "sandbox," Java generally prevents applets from taking unauthorized actions.
Microsoft acknowledged the problem but said it would require a very sophisticated programmer to be able to take advantage of it. A spokesperson said Microsoft will post a fix as soon as possible.
The news comes on the heels of a vulnerability Microsoft acknowledged yesterday that exploits Internet Explorer's ability to follow downloaded instructions called scripts. In an alert, Microsoft said it was working on a patch for this latest IE issue.
Sun touts Java as highly secure, a boast many experts back up. But because Java programs can be sent across the Internet to Web browsers, a breach in the safety of Java is magnified. Java programs are often used to add elaborate features to Web pages.
The new security problem is not in Java's design, but rather in how Microsoft implemented that design. Other companies' versions of Java, including Sun's, aren't affected, said Gary McGraw of Reliable Software Technologies in a statement.
Sohr has found other Java security problems before, including one found in March that afflicted Sun's version of Java software but not Microsoft's.
The new security hole is related to the last one Sohr found. Both take advantage of a flaw in a Java software component called the "bytecode verifier," which is supposed to screen incoming Java programs to make sure they pass muster. The new vulnerability also is similar to one found in August that allows a malicious program unlimited access to a computer.
Microsoft said the threat of the new problem is low because it's hard to exploit it.
"The issue could potentially enable an incredibly highly skilled developer to manipulate Java bytecodes by hand" to create a program that "could give a hostile applet control of a system," a spokesperson said. However, the security hole couldn't be exploited using the ordinary method of creating Java programs with software development tools, the spokesperson said.
Microsoft knows of no users who have been affected by the problem, the company said.