Microsoft finds critical hole in its Java VM

News

Microsoft finds critical hole in its Java VM

Internet Explorer users have been warned of a security hole in Microsoft's Java Virtual Machine (JVM) which could allow a hacker to view confidential information

The flaw in JVM makes it possible for a hacker to view user information as it passes through a proxy server. Businesses often set up proxy servers to act as gateways for their employees' Internet traffic.

Microsoft said a hacker could lure users to a Web site where he or she had planted a malicious Java applet. When a user unwittingly loaded the applet, the hacker would be able to see information about that user.

"It is almost like the applet sits and listens to the traffic that is going by," said Christopher Budd, security programme manager with Microsoft's security response centre. "It is possible for this to scoop up information."

Until the user closes the browser, the hacker can record the Web sites visited by the user and even information entered at a Web page. However, the common secure socket layer (SSL) security technology employed by many Web sites would prevent encrypted information from being exposed, according to Budd.

Microsoft is one of several suppliers that make a JVM. The company bundled its JVM with Windows 98, Windows ME and Windows 2000, and with Internet Explorer up to version 5.5.

Following a legal dispute with Java creator Sun Microsystems, Microsoft chose not to include a JVM with Windows XP. However computer makers such as Dell and Compaq preload Java on their new machines.

The flaw could be present in JVMs from other companies besides Microsoft, and other companies may release updates to their JVMs in the coming days, according to Budd.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy