• PC World
• » Software

Microsoft has issued a "critical" security alert for its Java virtual machine (JVM), saying a flaw in the product could let hackers view users' information while they surf the Web.

Microsoft is one of several vendors that make a JVM, a program that allows applications written in Java to run on any computer regardless of its operating system. The company has included its JVM with Windows 98, Windows Me, and Windows 2000, as well as its Internet Explorer browser up to version 5.5.

The flaw in the JVM makes it possible for a hacker to view user information as it passes through a proxy server. Businesses often set up proxy servers to act as gateways for their employees' Internet traffic, sometimes because it makes it easier for an administrator to block workers from reaching certain Web sites.

Microsoft on Monday released an update to its JVM that fixes the flaw, along with a handful of previously identified holes, said Christopher Budd, security program manager with Microsoft's security response center.

Hacker Could Watch

To exploit the weakness in the JVM, a hacker would need to lure users to a Web site where he or she had planted a malicious Java applet. When a user unwittingly collected the applet, the hacker would be able to see information about that user as it traveled across the proxy server, Microsoft said.

"It is almost like the applet sits and listens to the traffic that is going by," Budd said. "It is possible for this to scoop up information."

Until the user closed the browser, the hacker would be able to record the Web sites visited by the user and even information the user entered at a Web page. However, the common SSL security technology employed by many Web sites would prevent encrypted information from being exposed, according to Budd.

In addition, most home users do not pass through a proxy server when accessing the Web, which means they should not be affected by the vulnerability.

Threat Downplayed

One security expert doubted how much damage the flaw would cause given the string of steps a hacker would need to execute to make the exploit work.

"I don't see it as a huge threat," said Jim Magdych, security research manager for Network Associates' Computer Vulnerability Emergency Response Team (COVERT). "It requires a lot of setup in order for this to actually be executed."

Developers tend to like Java because of its numerous features. Java can be used to make an applet that streams video on a cell phone, and then stretch all the way to a server application.

The "full-featured" nature of Java, however, can sometimes lead to problems, Magdych said.

"It's designed to give programmers a lot of flexibility, but when someone puts their mind to it, they can bend that for more nefarious purposes."

More Patches Due

Microsoft is also working to update the JVM it makes available for download for the Windows XP operating system.

Following a legal dispute with Java creator Sun Microsystems, Microsoft chose not to include a JVM with Windows XP, but computer makers such as Dell and Compaq preload the software for users on new machines.

The flaw could be present in JVMs from other companies besides Microsoft, and other companies may release updates to their JVMs in the coming days, according to Budd. Microsoft has worked closely with Sun to fix the flaw, he said.

• See more like this:
• java,
• java virtual machine,
• jvm,
• patch,
• bug,
• Microsoft