Users can protect themselves from this risk by disabling Java until the flaw is fixed. To disable Java, choose "Security Preferences" from the "Options" menu in Netscape, then click the "Disable Java" box.

Java is designed to allow an executable computer program, called an applet, to be attached to a page in the World Wide Web. When a user browsing the Web visits that page, the applet is automatically downloaded into the user's machine and executed.

The flaw we discovered allows a malicious applet to generate and execute raw machine code. This means that the malicious applet can perform any action that the victim can legally perform; for example, it can read, delete, or corrupt the victim's files. Since applets are loaded and run automatically as a side-effect of visiting a Web page, the result is that an unscrupulous person could "booby-trap" his Web page so that anyone visiting the page has his machine compromised. A malicious applet could spread like a virus by attaching itself to the Web pages of its victims, thus making it difficult to trace the original source of the attack.

At present we are not releasing technical details about the flaw, in order to prevent unscrupulous persons from exploiting it. We will announce the full details later; some of the details also appear in our paper analyzing the security of Java, Java Security: From HotJava to Netscape and Beyond, in the 1996 IEEE Symposium on Security and Privacy.

The existence of security flaws in Java does not imply that other, competing systems are more secure. We chose to study Java because it is the best-known system for attaching programs to Web pages. We suspect that if competing systems were subjected to the same level of scrutiny, they would also be found to have flaws. Building a secure mechanism for embedding executable programs in Web pages is an extremely difficult task.

[Note that the "security enhancements" announced by Netscape in version 2.01 of Netscape Navigator do not fix this flaw. They fix two separate flaws found previously, one found by us and independently by Steve Gibbons, and the other found by David Hopwood.]