A HOLE in Sun's Java Virtual Machine which enabled it to exploited through a browser has been patched. The flaw, found by researcher Jouko Pynnonen was found in the Java plug-in, which affects JRE 1.3.x and 1.4.x and SDK 1.3.x and 1.4.x.

It was a design error, as JavaScript code can create and transfer objects to untrusted applets for some private and restricted classes used internally by the JVM.

Sun Microsystems said the flaw could be exploited on most operating systems including Windows, Linux and Solaris. It has issued a patch and incorporated into versions SDK and JRE 1.4.2_06 and later and SDK and JRE 1.3.1_13 and later. -The Inquirer

A flaw in Sun Microsystems' plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs.

The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday. Security information provider Secunia posted information about the flaw in an advisory that rated it a "highly critical" threat.

The Java plug-in enables small Web programs, known as applets, to run safely on a user's computer. But the security flaw allows a malicious Web site accessed through a victim's browser to bypass those protections.

"It allows execution of attacker-supplied code without user interaction (apart from viewing a Web page) which usually means a 'critical' classification," Pynonnen stated in an e-mail interview with CNET News.com.

"The same exploit could also be used against various operating systems and browsers, which makes it more serious," he added. The vulnerability can be used to attack systems running on Windows or Linux, for example, and using major browser software such as Microsoft's Internet Explorer and Firefox--meaning a large number of systems are vulnerable to attack.