Speaking of flaws:
Java Developer Warns Of Microsoft Virtual Machine
Bug
January 5, 1999
SAN FRAANCISCO, CALIFORNIA, U.S.A., Newsbytes
via NewsEdge Corporation : An Italian Java software
developer which has previouslyreported security holes
in Microsoft Corp. [NASDAQ:MSFT] applications said
today that a new threat exists to users of the firm's
latest Java Virtual Machine (JVM) release. Microsoft
had to reintroduce its Java-related products after a
California court ruled that the company had violated a
licensing agreement with Java's creator Sun
Microsystems Inc. [NASDAQ:SUNW], last month.
Programmer Fabio Ciucci and his Anfy Java collective
said today that users of the new JVM release are fair
game for a virus-like Java applet already being spread
across the Internet. Ciucci first detailed a security hole
in JVM last year and Microsoft issued a subsequent
repair patch. However, the programmer contends that
the new JVM release does not include a permanent fix
and new users may not know of the existing patch as
Microsoft has not publicized it with the product. The
malicious applet causes users' machines to crash
without warning when they unknowingly contract it
through corrupted e-mail attachments or Internet
downloads.
"Now, hackers and other malicious people are using
and spreading the crash applet, and Microsoft
customers don't know why they are crashing," Ciucci
said. "Most users don't know that they can avoid this
by downloading the patch. With the new Java update
available it hasn't been publicized."
The programmer contends that Microsoft "forgot" to
include its patch in the JVM security advisor.
"People should be in a hurry to download the patch, to
become safe," Ciucci said. "I hope someone will
encourage the updating of JVM, even without saying
why, to make people safe from the crash. I'm simply
disappointed for the users who will crash without
knowing a patch is available."
Microsoft has yet to respond to Ciucci's latest claims.
Ciucci and his team are the creators of Anfy Java, a
suite of 35 Java applets for generating special effects.
The original security glitch is an "impure" Java applet
which uses Microsoft's "extentions" to the official Java
specifications, but Ciucci said that it is still capable of
corrupting the new JVM. The applet will not only crash
Internet Explorer 4.0, 4.1, and IE 5 beta, it will crash
the whole Windows 95/98 operating system with all
running applications cut off and unsaved work lost. On
Windows NT, Internet Explorer crashes, but the
operating system in most cases is still usable,
according to Ciucci.
The subsequent update released by Microsoft can be
downloaded at
microsoft.com or
microsoft.com
.
Some antivirus companies have already introduced
support for blocking execution of the malicious applets.
Finjan announced that its SurfinGate 4.02 product
prevents the applet from being executed.
Ciucci has also identified several sites where the applet
in question can be downloaded. These are:
damnation.net and
hackersclub.com .
Anfy Java's Web address is anfyjava.com
Reported By Newsbytes News Network,
newsbytes.com
(19990104/WIRES NETWORK, PC/)
<<Newsbytes -- 01-04-99>>
[Copyright 1999, NewsBytes]
|
