Microsoft, Sun, Netscape warn of flaw in Java

By Ashlee Vance

March 6, 2002

(IDG) -- Microsoft and Sun Microsystems, typically bitter rivals, are working together this week to warn IT managers that a security flaw in their Java virtual machine (JVM) software could let hackers take control of Web browsers and possibly steal user identifications, passwords and other data.

Netscape Communications Corp. also said some versions of its Web browser software are vulnerable to the flaw and should be upgraded to more recent releases that include a new JVM plug-in developed by Sun.

Microsoft late Monday disclosed that its JVM software is affected and gave the vulnerability its maximum severity rating. The company said IT managers who have set up proxy servers for their Internet Explorer Web browsers should immediately install a patch designed to fix the flaw that was acknowledged Monday, as well as a handful of previously identified holes in the JVM code.

Systems are only vulnerable if Internet Explorer is used in conjunction with a proxy server, Microsoft said. The flaw affects the JVM code that ships with Versions 4 and 5 of Internet Explorer and could be exploited by an attacker to redirect traffic after users have sent Java requests to their proxy servers, the company added.

JVM programs allow applications written in Java to run on any computer, regardless of its operating system. Microsoft builds its JVM into Windows 98, ME and 2000 as well as releases of Internet Explorer up to Version 5.5. The code also can run on top of Windows 95 and Windows XP.

Sun's JVM software comes with Netscape browsers and has also been licensed by vendors such as IBM and Oracle Corp. Versions 6.1 and lower of Netscape could be affected by the flaw, according to a Sun security bulletin that had yet to be posted on the company's Web site as of this afternoon.

In addition, users of Sun's Solaris operating system who have not installed periodic updates could be affected by the JVM vulnerability. Sun urged users to download the most recent version of its JVM in order to protect their systems. "Users need to be an active participant in being secure," a Sun spokesman said. "As long as they remain current on their versions of software, they are safe."

Mountain View, California-based Netscape, a unit of AOL Time Warner Inc., posted its own advisory encouraging users of Netscape Communicator or complete installations of its Netscape 6.0, 6.01 and 6.1 software to upgrade their systems. (AOL Time Warner is the parent company of CNN.com.) Netscape 6.2 and 6.2.1 include Sun's new JVM plug-in and aren't vulnerable to the flaw, Netscape said.

The JVM hole was discovered last year by Dutch security specialist Harmen van der Wal, who said in a posting today that he found the hole "more or less by coincidence." Van der Wal, who declined to disclose specific technical details about the flaw in order to prevent would-be attackers from learning how to exploit it, said he notified Sun of the problem last April.

Sun's spokesman said the company worked to notify its licensees of the flaw and to help them develop fixes during September and October of 2001. Microsoft and Sun then coordinated their efforts to issue a public warning about the vulnerability this week, he added.

Sun has yet to be notified of an instance in which the JVM flaw was actually exploited. But Microsoft said the vulnerability makes it possible for hackers to view passwords and other user information as the data passes through proxy servers. Companies often set up such servers to act as gateways for their Internet traffic, sometimes because that makes it easier for IT administrators to block workers from reaching certain Web sites.

By exploiting the vulnerability, an attacker could use a malicious Java applet to hijack an end user's Internet session without the user being aware that it was happening, Microsoft said. The hacker could then send malicious responses while making it appear as if the information was coming from the user's intended destination on the Internet. An attacker also could capture the user's session information and mimic a denial-of-service attack, the company said.

"It's almost like the [malicious] applet sits and listens to the traffic that is going by," said Christopher Budd, a security program manager at Microsoft's security response center. "It's possible for this to scoop up information."

Until the user closed his browser, the hacker would be able to record the Web sites visited by the user and even information entered at a Web page. However, Budd said the Secure Sockets Layer security technology employed by many Web sites would prevent encrypted information from being exposed.

Following a legal dispute with Java creator Sun, Microsoft didn't include a JVM with Windows XP. But computer makers such as Dell Computer Corp. and Compaq Computer Corp. preload the software for users on new machines. In addition to the patch it released Monday, Microsoft is working to update the JVM code it makes available for use with Windows XP, Budd said.

One security analyst questioned how much damage the flaw could cause given the string of steps a hacker would need to execute to exploit the vulnerability.

"I don't see it as a huge threat," said Jim Magdych, security research manager for the computer vulnerability emergency response team (COVERT) at Network Associates Inc. in Santa Clara, California. "It requires a lot of setup in order for this to actually be executed."\

2002 Cable News Network LP, LLLP.