Microsoft and Sun Microsystems have issued warnings that some
versions of their Java Virtual Machines contain a flaw that could let a
malicious hacker see the information of a user surfing the Internet, and urge
users to guard against such invasion.
A Java Virtual Machine (JVM) is a common application installed on
many PCs that allows programs written in the Java programming language to run.
Microsoft has included its version of the JVM in Windows 98, Windows Me, and
Windows 2000, as well as in its Internet Explorer browser up to version 5.5. Sun
also makes its own version of a JVM that comes with the Netscape browser, and
which is licensed by other companies such as IBM and Oracle. Netscape 6.1 and
older versions could contain the flaw, according to a Sun security bulletin. In
addition, users of Sun's Solaris operating system that have not installed
periodic updates could also be affected.
Next, a hacker would need to tempt a user to a Web site that contains a
malicious Java applet. Once the applet was activated, the hacker could see a
user's information as it travels across the proxy server, said Christopher Budd,
security program manager with Microsoft's security response center.
"It is almost like the applet sits and listens to the traffic that is going by,"
Budd said, in a previous interview. "It is possible for this to scoop up
information."
The hacker would be able to watch the user
as he or she traveled about the Web and even see private information entered
into Web pages. The SSL (secure socket layer) security technology used by many
Web sites would prevent encrypted information
The flaw was discovered by Dutch security specialist Harmen van der Wal, who
notified Sun of the problem last April. Sun worked to notify its licensees of
the flaw and help them fix it in September and October of 2001, said a Sun
spokesperson. Both Microsoft and Sun then coordinated their effort to issue a
public fix this week.
Exploiting the problem in the JVM would
require a hacker to execute a number of difficult steps successfully, and Sun
has yet to be notified of an instance where the Java flaw has been used against
a user. The Microsoft virtual machine (Microsoft VM) includes a security
vulnerability that may allow script code in a Web page or HTML-based e-mail
message access to ActiveX controls that should not be available in those
contexts. This vulnerability can give malicious script code access to any
ActiveX controls that are installed on the visiting user's computer. The ActiveX
controls could then give the malicious script complete control over the visiting
user's computer, including the ability to read and write files on the local hard
drive.
|
