Java Lets Hackers Attack Your Browser

Most security experts consider Java one of the safest Web technologies, thanks to its built-in security feature that scans any application running under Java for rogue code. But two recent discoveries raise doubts about Java's security. Bug sleuth Dan Brumleve found one Java-based hole in some versions of Netscape Communicator, while Microsoft identified another in its own Internet Explorer.

Bug: Versions 4.05 through 4.74 of Netscape Communicator are vulnerable to attacks on the browser's Java virtual machine--the part of the browser that runs Java applets, which add interactivity to Web pages. A weakness in Java's security could allow a hacker to plant a malicious applet on the Web page and read files on your computer without your knowledge. (The hacker couldn't delete data, however.) Communicator browsers running on Windows 95, 98, NT, and 2000 are susceptible to attack.

Fix: Netscape's latest browser upgrade, Communicator 4.75, plugs this security hole. You can get the 15.8MB upgrade at Netscape's Download page. If you're running version 4.74, you'll need only a 4MB patch (from the same URL). Alternatively, you can disable Java in your browser: Within Communicator, select Edit, Preferences, Advanced, and uncheck Enable Java. This second method disables all Java applets; as a result, Web sites that use them won't behave properly, and you'll miss out on some interactive features such as Internet phone keypads.

Bug: A related flaw in Internet Explorer affects the Java virtual machine in IE versions 4.x and 5.x under Windows 95, 98, NT, and 2000. Many Web sites, such as online banks, store your personal log-in information in the browser for reuse. An ill-intentioned site operator could exploit IE's security hole to visit sites you're authorized to access, using your identity. The Java applet on a booby-trapped site passes your "credentials" to the hacker, who then can impersonate you while visiting other sites. The hole would not let the interloper steal passwords. Like the Netscape weakness, though, it would permit the intruder to read your files.

Fix: Microsoft's patch will keep a creep from using the hole to steal your online identity. Get the 141KB fix at this Microsoft Security Bulletin page or from Downloads.

Kick Out the Kakworm

The simple act of reading your e-mail can unleash the virus known as Wscript.KakWorm. The worm attaches a copy of itself to all outgoing messages, alters your Registry settings, and shuts down your PC at 5 p.m. on the first day of each month. If you use Outlook Express 5.0 and these symptoms sound familiar, your PC may be infected. For PCs running Windows 95, 98, and NT, Symantec has released a fix. Get the free 125KB download at Symantec's AntiVirus Research Center or from Downloads.