What could be worse than the virus Melissa of earlier this year? According to a team of computer scientists, it's a bug - for which you don't have to click ok to activate it - they found in "tens of millions" of Microsoft Windows computers which lets the bad guys take control of your personal computer by nothing more complicated than an e-mail message.
The good news: If you surf the Web by way of Netscape, you're not prone to its attack.
Which is probably just what Microsoft doesn't want to hear, considering a rash of security troubles its holdings or software have suffered of late.
This Windows security hole, the computer scientists tell Wired Digital, is in most copies of Windows 95 and all versions of Windows 98, and lets a hacker hide a malicious code in an e-mail message or Web page which can modify files surreptitiously, reformat your hard drive, or execute any DOS command.
"It's the Melissa virus but much worse," Rice University computer scientist Dan Wallach tells Wired Digital. "The Melissa virus required someone to click OK. This doesn't."
This is one back door Microsoft has acknowledged, says Wired Digital. The company has released an updated version of its Java virtual machine, which fixes the problem. But tens of millions who haven't downloaded the patch and have not disabled Java remain vulnerable to anyone who knows the bug's technology.
Most at risk: Windows users who read e-mail on Microsoft Outlook, Outlook Express, and Qualcomm's Eudora which use Microsoft's viewing software and have recent Java virtual machine versions.
And, Microsoft Internet Explorer 4 browsing is vulnerable if surfers click a Web site with malicious Java - but Netscape browsing isn't.
The bug works by sending specific messages to a Java thread repeatedly, and the Java virtual machine can't bat it away fast enough - the bug's tries take milliseconds, the computer scientists say, and in "less than a second, the Java VM's security is toast." Thus does the hostile Java program get full privileges.
The team tipped Microsoft off late last month and the company fixed the bug.
