Home & Office

MS flags Mac IE 5 security gap

A glitch that affects the browser's Java implementation resurfaces after a three-year break
Written by Matthew Rothenberg, Contributor

Microsoft acknowledged Wednesday that a potential security gap has resurfaced in the Mac version of Internet Explorer after a three-year hiatus.

"We believe that this is going to affect very few people, but obviously, since it's a security issue, we take it very seriously, and we're working on an update," said Irving Kwong, a product manager with Microsoft's Macintosh Business Unit. However, Kwong said he couldn't specify when the fix would be ready.

The company blamed the flaw -- what it calls a "Java redirect issue" -- on its implementation of Apple's Macintosh Runtime for Java, or MRJ, in the browser.

The glitch, which cropped up under Internet Explorer 3.0 in 1997, resurfaced again in IE 5. "With Internet Explorer 5, when we implemented Apple's MRJ, we tried to create a more secure Java session by offering the whole Secure Sockets Layer," Kwong said. "Doing that, we opened up a hole that was there before."

Microsoft said security would be compromised only under a specific set of conditions: "Our current understanding of the problem is that when an unknowing user visits a Web site with malicious code, the site could download an image from another Web site, such as an intranet that the user has permission to access, without the user's permission." Kwong said a malicious Web developer would need to know details of the exact path within the intranet from that specific user's computer. Users behind a firewall or on a network that employs intelligent authentication are safe from the glitch, he said.

The company recommended that concerned users disable Internet Explorer's use of Java until the problem is fixed.

In the meantime, "we've not seen anybody who's been harmed by this or has been able to exploit it," Kwong said.

What do you think? Tell the Mailroom. And read what others have said.

Editorial standards