MS flags Mac IE 5 security gap

"We believe that this is going to affect very few people, but obviously, since it's a security issue, we take it very seriously, and we're working on an update," said Irving Kwong, a product manager with Microsoft's (msft) Macintosh Business Unit. However, Kwong said he couldn't specify when the fix would be ready.

The company blamed the flaw -- what it calls a "Java redirect issue" -- on its implementation of Apple's Macintosh Runtime for Java, or MRJ, in the browser.

The glitch, which cropped up under Internet Explorer 3.0 in 1997, resurfaced again in IE 5. "With Internet Explorer 5, when we implemented Apple's MRJ, we tried to create a more secure Java session by offering the whole Secure Sockets Layer," Kwong said. "Doing that, we opened up a hole that was there before."

Microsoft said security would be compromised only under a specific set of conditions: "Our current understanding of the problem is that when an unknowing user visits a Web site with malicious code, the site could download an image from another Web site, such as an intranet that the user has permission to access, without the user's permission."

Kwong said a malicious Web developer would need to know details of the exact path within the intranet from that specific user's computer. Users behind a firewall or on a network that employs intelligent authentication are safe from the glitch, he said.

The company recommended that concerned users disable Internet Explorer's use of Java until the problem is fixed.

In the meantime, "we've not seen anybody who's been harmed by this or has been able to exploit it," Kwong said.