Fabio Ciucci, an Java programmer noted for his previously
finding and reporting security holes in Microsoft applications, recently
highlighted the most recent threat to users of the latest version of
Microsoft’s Java Virtual Machine (JVM).
Microsoft recently updated its Java-based products after a California court
ruled in favor of Sun Microsystems Inc. and agreed that the company had
violated a licensing agreement between the two companies.
Fabio Ciucci, lead programmer of Anfy
Java, indicated that users of Microsoft’s new JVM release are all
succeptable to the Java applet. Ciucci first reported the security hole in
the JVM last year and Microsoft then released a repair patch for the
product. Ciucci said however, that Microsoft’s newest JVM release does
contain the patch, nor does it include a permanent fix for the bug.
The applet in question causes users’ machines to instantly lock up, forcing
the user to reboot the machine in order to continue using it. The applet
can be present in e-mail attachments as well as standard Web pages. The
patch which Microsoft released is still effective, but many users are not
aware that the patch is available.
The applet is capable of crashing Microsoft Internet Explorer 4.0, 4.1, and
IE 5 beta. It effectively crashes the entire Windows 95/98 operating
system, killing any running applications as well.
The patches can be downloaded from
Microsoft at no charge. For those hoping to see the applet in action, you
can download it
in zipped format, but be forwarned, it does work. The source code is
included in the zip file, along with notes from the hacker that created it.