Microsoft Corp. and Sun Microsystems Inc. issued warnings Monday that some versions of their Java Virtual Machines (JVMs) contain a flaw that could let a malicious hacker see the information of a user surfing the Internet.
A JVM is a common application installed on many computers that allows programs written in the Java programming language to run. Microsoft has included its version of the JVM in the Windows 98, Windows ME and Windows 2000 operating systems, as well as in its Internet Explorer browser up to version 5.5. Sun also makes its own version of a JVM that comes with the Netscape browser and that is licensed by other companies such as IBM Corp. and Oracle Corp. Versions 6.1 and lower of Netscape could contain the flaw, according to a Sun security bulletin. In addition, users of Sun’s Solaris operating system that have not installed periodic updates could also be affected.
A flaw in Microsoft’s JVM and older versions of the Sun JVM can let a hacker “watch” users as they surf the Web, seeing the pages they visit and possibly any personal information a user has entered at a Web site.
For this exploit to work, a user would first need to be sending his or her information over a proxy server. Companies often use proxy servers as a type of gateway that funnels their employees’ Internet traffic. This can help make it easier for an administrator to set security preferences and manage tasks for groups of people.
Next, a hacker would need to tempt a user to a Web site that contains a malicious Java applet. Once the applet was activated the hacker could see a user’s information as its traveled across the proxy server, said Christopher Budd, security program manager with Microsoft’s security response center, when asked Monday about the flaw.
“It is almost like the applet sits and listens to the traffic that is going by,” Budd said, in a previous interview. “It is possible for this to scoop up information.”
The hacker would be able to watch the user as he or she traveled about the Web and even see private information entered into Web pages. The SSL (secure socket layer) security technology used by many Web sites would prevent encrypted information from being exposed and closing the Web browser would also cut the hacker’s connection, Budd said.
The flaw was first discovered by Dutch security specialist Harmen van der Wal, who notified Sun of the problem last April. Sun worked to notify its licensees of the flaw and help them fix it in September and October of 2001, said a Sun spokesman. Both Microsoft and Sun then coordinated their effort to issue a public fix this week.
Exploiting the problem in the JVM would require a hacker to execute a number of difficult steps successfully, and Sun has yet to be notified of an instance where the Java flaw has been used against a user.
Microsoft issued an update to its JVM Monday and Sun urged users to download the most recent version of its JVM in order to solve the problem.
“Customers and users need to be an active participant in being secure,” the Sun spokesman said. “As long as they remain current on their versions of software, they are safe.”
A description of the flaw by van der Wal is at http://www.xs4all.nl/~harmwal/issue/wal-01.txt
An update to Microsoft’s JVM is available at http://www.microsoft.com/java/vm/dl_vm40.htm/
Microsoft, in Redmond, Wash, is at http://www.microsoft.com/
Sun, in Palo Alto, Calif., is at http://www.sun.com/