The flaw in JVM makes it possible for a hacker to view user information as it passes through a proxy server. Businesses often set up proxy servers to act as gateways for their employees' Internet traffic.
Microsoft said a hacker could lure users to a Web site where he or she had planted a malicious Java applet. When a user unwittingly loaded the applet, the hacker would be able to see information about that user.
"It is almost like the applet sits and listens to the traffic that is going by," said Christopher Budd, security programme manager with Microsoft's security response centre. "It is possible for this to scoop up information."
Until the user closes the browser, the hacker can record the Web sites visited by the user and even information entered at a Web page. However, the common secure socket layer (SSL) security technology employed by many Web sites would prevent encrypted information from being exposed, according to Budd.
Microsoft is one of several suppliers that make a JVM. The company bundled its JVM with Windows 98, Windows ME and Windows 2000, and with Internet Explorer up to version 5.5.
Following a legal dispute with Java creator Sun Microsystems, Microsoft chose not to include a JVM with Windows XP. However computer makers such as Dell and Compaq preload Java on their new machines.
The flaw could be present in JVMs from other companies besides Microsoft, and other companies may release updates to their JVMs in the coming days, according to Budd.