The bug, which can expose private files and, in some circumstances, grant unauthorized access to sites on a company's intranet, first cropped up in late 1997. Microsoft patched it then, only to reintroduce the bug with the release of IE 5.
Dick Craddock, product unit manager for Mac IE at Microsoft, would not estimate when a fix would be available.
The hole in Microsoft's Web browser is tied to the browser's use of Java, Sun Microsystems' cross-platform programming language.
To be able to run on different operating systems, Java relies on a "Java virtual machine" (JVM), which for Apple's Macintosh platform is known as the Mac runtime for Java.
Apple makes its own virtual machine. However, the method in which IE 5 interacts with Apple's software allows the bug to do its damage. The hole concerns the way Microsoft exposed IE's networking code to the Java virtual machine, Craddock said.
"A problem was found where it's possible for a malicious Web site to exploit a hole in the interface between IE and the Apple Mac runtime for Java to gain access to content redirected through to other Web sites," Craddock said.
Craddock said the attacker would have to first lure Web surfers to a booby-trapped Web site, then know the exact paths of the files they wanted to steal, or the exact address of the private intranet pages they wanted to access.
A firewall, which most corporate intranets use, should prevent access to unauthorized pages, Craddock said.
Bug hunter Ben Mesander, who posted a demonstration of the bug, took issue with Microsoft's characterizations of it.
"The bug is dangerous precisely because it works through firewalls," Mesander wrote in an email interview. "There's actually a firewall between my home network and the Web server the security demonstration is on. The only way a firewall would prevent the bug is if it disallowed all Web traffic. Most firewalls these days allow Web traffic."
Mesander also disputed the notion that an attacker would have to know an exact intranet address to penetrate it effectively, saying that directories with predictable addresses would guide the attacker to wherever he or she wished to go.
In related news, Craddock dismissed a report on the MacInTouch Web site that Microsoft's IE-for-Mac team had been dissolved and the company planned no future versions of IE for the Macintosh.
Instead, Microsoft has subsumed IE for the Mac under its WebTV group, according to Craddock.
"At Microsoft, like all other big companies, groups get moved around," he said. "The Mac IE team is intact, but we have moved to a different organization under WebTV. There's work to be done there that is very common to what we've done before on Mac IE. WebTV has a browser, and we happen to have a lot of browser expertise. It's just an organizational detail."