Major Java bug crawls to surface

Although US-based researchers have discovered a bug in Sun Microsystems' Java programming language that could give hackers carte blanche access to users' computers, SunSoft managing director Gil Thew isn't losing any sleep.

"They found one bug in a product that's been out for seven months: one bug!" Thew said. "How many bugs were there in Windows 95, and did that stop it from selling? We are inundated with people who want to use Java, people who want to sell it, people who want to develop with it. More important than what goes wrong, is how you react. A problem was discovered and we fixed it."

Even so, researchers have raised a number of interesting points about Java, Sun Microsystems' object-oriented, multimedia Internet programming language. "The consequences of the flaw are pretty severe," said Edward Felten, an assistant professor of computer science at Princeton University, who helped discover the bug. "Any operation that the PC is allowed to perform, the attacker is allowed to perform," Felten said. This includes reading, altering and sending files out over the Internet, as well as reformatting the hard drive. At risk is the large majority of Web users who use Netscape's Navigator to browse the Internet.

However, Sun sources say Web users won't be at risk much longer. Sun "engineers already have the fix and they're testing it right now," said Geoffrey Baehr, Sun's chief networking officer. Princeton researchers alerted Sun to the bug on Friday (March 22), and Sun engineers worked over the weekend on the fix, Baehr said. "It was a three-day piece of work [to create the fix], and then making sure it's tested and integrated is the other 50 per cent of the exercise," he said.

According to Sun sources, the fix will be available on Sun's Java group's Web site ( by March 29. The fix will also be distributed to Netscape for incorporation into Navigator, Baehr said.

Baehr says the security problem does not stem from the programming language itself, but from an "implementation problem". According to Sun, when users download instructions onto their machines from the Internet, a byte code verifier routinely performs a check to assess whether the downloaded applet (mini-software programs written in Java) is actually performing the functions that it says it is. The byte code verifier also assesses whether the machine will let the applet have access to the functions it wants to perform. Usually, the system can detect if an applet contains hidden, hostile code.

But Princeton University researchers were able to slip hostile applets past the verifier, giving hackers access to functions generally reserved for the PC owner, such as deleting or changing a file. The attack is not simple, as it requires a three-step process, according to Sun sources, who add that attackers must get past the byte code verifier, give the hostile applet power within the verifier and then create code to access others' computers. So far, Baehr says no one has reported being attacked.

Despite the flaw, bug discoverer Felten expresses confidence in Sun: "Java is a pretty good system overall, that's why we looked at it in the first place." He said the Princeton research team will keep looking for other flaws in Java, but does not expect to find additional security problems.