Bug bites Macintosh Java

Mac users who are browsing the Web with Apple Computer's (AAPL) latest Java technology could be exposing their local files to risk.

Apple has developed its own Java Virtual Machine--the software that allows the operating system to understand and run programs written in Java--but the latest version (1.5) violates the Java security framework.

Called Mac OS Runtime for Java, or MRJ, the software mistakenly allows Java applets--small executable programs usually downloaded from the Net through a browser--to gain access to Macintosh system resources via an Apple technology called JDirect. Such access normally is not allowed under the Java security framework.

Apple has temporarily removed MRJ 1.5 from its Java site but will post a patch tomorrow.

"Our engineers found that this is indeed a problem, but if you wrote a test case it wouldn't occur every single time," said Apple Java product manager Gary Little.

Web developer Dan Hughes, who runs the Webintosh site for Mac-related information, said he will post applets that demonstrate the potential problem by the end of the week.

Theoretically, a Java programmer could exploit the flaw by writing a malicious applet that downloads to the user's system, then views, overwrites, or otherwise damages local files. Users are only at risk if they visit a site where a malicious applet lives.

There have been many similar security flaws related to Java and Microsoft's ActiveX technology in the past year, but there have been few, if any, reported incidents of actual mischief on the Web.

The Mac OS, including the latest System 8, does not use MRJ 1.5, so the only users at risk are those who have downloaded MRJ 1.5 since it was posted on Apple's Web site in August, Little said. He could not immediately say how many people have downloaded the software.

Until they install the patch, IE 3.0 and 4.0 users should use Microsoft's virtual machine, which is included with the browser. Cyberdog users should either reinstall MRJ 1.0.2 or stop using Cyberdog until the 1.5 fix has been posted. Navigator users are not at risk because the browser uses its own virtual machine.

Meanwhile, Apple will have MRJ 2.0 ready by the end of the year as part of its scheduled Mac OS 8 upgrade. The security hole will be plugged in that release, Little said. But he warned that beta copies of MRJ 2.0 currently in the hands of a small circle of Mac developers have the security flaw.