Microsoft Corp. issued a "critical" security alert Monday for its Java virtual machine (JVM), saying a flaw in the product could let hackers view users' information while they surf the Web.
Microsoft is one of several vendors that make a JVM, a software program that allows applications written in Java to run on any computer regardless of its operating system. The company has included its JVM with Windows 98, Windows ME and Windows 2000, as well as its Internet Explorer browser up to version 5.5.
The flaw in the JVM makes it possible for a hacker to view user information as it passes through a proxy server. Businesses often set up proxy servers to act as gateways for their employees' Internet traffic, sometimes because it makes it easier for an administrator to block workers from reaching certain Web sites.
To exploit the weakness in the JVM, a hacker would need to lure users to a Web site where he or she had planted a malicious Java applet. When a user unwittingly collected the applet, the hacker would be able to see information about that user as it travelled across the proxy server, Microsoft said.
"It is almost like the applet sits and listens to the traffic that is going by," said Christopher Budd, security program manager with Microsoft's security response center. "It is possible for this to scoop up information."
Until the user closed the browser, the hacker would be able to record the Web sites visited by the user and even information entered at a Web page. However, the common SSL (secure socket layer) security technology employed by many Web sites would prevent encrypted information from being exposed, according to Budd.
In addition, most home users do not pass through a proxy server when accessing the Web, which means they should not be affected by the vulnerability.
Microsoft released an update to its JVM Monday afternoon (US time) which fixes the flaw, along with a handful of previously identified holes, Budd said. It is also working to update the JVM it makes available for download for the Windows XP operating system.
Following a legal dispute with Java creator Sun Microsystems Inc., Microsoft chose not to include a JVM with Windows XP, but computer makers such as Dell Computer Corp. and Compaq Computer Corp. preload the software for users on new machines.
The flaw could be present in JVMs from other companies besides Microsoft, and other companies may release updates to their JVMs in the coming days, according to Budd. Microsoft has worked closely with Sun to fix the flaw, he said.
One security expert questioned how much damage the flaw would cause given the string of steps a hacker would need to execute to make the exploit work.
"I don't see it as a huge threat," said Jim Magdych, security research manager for Network Associates Inc.'s Computer Vulnerability Emergency Response Team (COVERT). "It requires a lot of setup in order for this to actually be executed."
Developers have adopted Java partly because of the numerous features built in to the programming language, which give it wide flexibility. Java can be used to make anything from an applet that streams video on a cell phone to a back-end business application that serves up key business software to a company.
The "full-featured" nature of Java, however, can sometimes lead to problems, Magdych said.
"It's designed to give programmers a lot of flexibility, but when someone puts their mind to it, they can bend that for more nefarious purposes."