Microsoft: Windows Users Safe 
From Java Bug
(03/07/97; 4:08 p.m. EST)
By Deborah Gage, Computer Reseller News

              REDMOND, Wash. -- Microsoft issued a statement Friday saying
              Windows users are protected from what it termed "a major security
              hole" discovered in Java.

              JavaSoft refused to disclose details of the bug, other than to say
              JavaSoft had discovered it during routine security testing and it had not
              been exploited. JavaSoft, Mountain View, Calif., earlier this week
              issued a patch to all Java licensees.

              Ordinary Java applets cannot exploit the bug, a JavaSoft
              spokeswoman said. "The bug requires someone to hand-craft byte
              code and figure out a way to infiltrate past the Java classes and
              compiler and into the system," she said.

              Microsoft officials said the bug could allow rogue applets to turn off all
              security safeguards, letting "full access to the native file system and
              crucial machine resources."

              Windows users are not affected because Microsoft uses a different
              byte-code verifier in its Java Virtual Machine than the one issued by
              JavaSoft, according to Microsoft.

              Microsoft is working on a fix for Internet Explorer for the Macintosh, a
              Microsoft spokeswoman said.

              Internet Explorer 3.0 users on Mac are affected. But Metrowerks,
              which helped develop the Microsoft Virtual Machine on Mac, has a fix.

              Metrowerks said the bug is "orders of magnitude" less serious than any
              security problems reported with Microsoft's ActiveX.

              "The bug is minor and it's difficult to exploit. Ordinary Java code can't
              access it," said Tim Freehill, engineering manager with the Metrowerks
              Java team, Austin, Texas.