A team of programmers from Princeton University have discovered a bug in Netscape's Java Virtual Machine (JVM) that allows a malicious applet to bypass all of the security controls in Navigator 4.0. The applet is then free to do what it will to the user's system, including deleting or modifying files. Princeton has a demo applet that does delete files.

Netscape says the problem is fixed in Communicator 4.5.

"The vulnerability that occurs is in the Java sandbox. Our engineers did a lot of testing around this and we believe that what we posted in 4.5 fixes the vulnerability that Princeton has reported," a spokesperson from Netscape said.

Regardless, the official release of 4.5 is still months away, and many users won't upgrade for some time after that. Netscape is moot on whether a fix for 4.0x will happen