Computers with the newest version of Apple's Macintosh operating system
software could be used as unwitting aides to the latest fad in Internet
attacks, according to a new report.
Customers who have installed Mac OS 9 are susceptible to being used in
"denial of service" attacks from malicious programmers if their computer is
hooked up to the Internet via "always on" digital subscriber line (DSL) or
cable modem connections.
The computer expert who discovered the flaw said that it does not
appear that Mac computers themselves are being shut down by attacks, but
that they merely are capable of being used as pawns to harm other computers.
Dr. John Copeland, who chairs the Georgia Institute of Technology's School
of Electrical and Computer Engineering, said the correction for the flaw
needs to be applied before New Year's Eve in order to prevent the Macs from
being used to attack other computers. As previously reported by CNET News.com,
security experts have warned of a possible concerted effort to attack
computers on New Year's Eve.
Apple has already issued a fix for the problem at its Web site.
Carnegie Mellon University's Computer Emergency Response Team (CERT) said
in an advisory note that "Intruders can flood networks with overwhelming
amounts of traffic or cause machines to crash or otherwise become
It does not appear that any computers have yet to be used in
such attacks; CERT merely reported that such an attack was possible.
Cupertino, Calif.-based Apple said in a posted reply to the CERT team:
"We've reproduced the problem in our labs. The problem only affects
customers running our most recent release of networking software on
machines that are continuously attached to the Internet."
"Apple is aware of the CERT advisory and has taken steps to address it,"
confirmed an Apple spokesman. "While we believe the potential risks to our
customers is extremely small, we have worked quickly to provide the latest
and most secure software to Mac users," he said.
In addition to being able to download the fix and installing the software
themselves, Mac OS 9 is capable of automatically updating itself with this
fix as it becomes available later on specialized Apple servers, but only
when the feature is enabled by the user.
Most Macintosh customers are not affected by this problem, Apple said.
Denial of service attacks aren't new, but there has been a sudden surge in
them. Recently, two new families of attacking programs, called the "Tribe
Flood Network" and "Trinoo" were identified by experts. Computer experts
believe that some attacks are timed to go off when the century turns.
Generally, denial of service attacks work like this: An attacker secretly
embeds software into hundreds of unwitting computers. Then, at a selected
time, a command is issued that prompts the infected computers to swamp a
target Web site or server with messages in a method of attack called
"denial of service." The program doesn't damage the "infected" carrier
computers or the target, but the sudden flood of messages typically knocks
out the target system.
The flaw in the Apple networking software, called Open Transport, could
allow an outsider to use a targeted Mac computer as a carrier.
Although it's possible for target computers to protect themselves from
denial-of-service attacks by ignoring messages, it's hard to identify which
computers are attacking them--especially when there are hundreds. This
fundamental vulnerability of networked computers makes protecting against
denial-of-service attacks extremely difficult.
A study released earlier this year reported that computer security
breaches were up 16 percent from 1996 to 1997, and that computer-related
crime, including security breaches, had cost 241 surveyed organizations $136
million last year.
Users of Macintosh computers, in general, have had fewer security issues to
deal with over the last few years, in part because there were simply more
Windows-based computers to target. But the system itself isn't impervious
to the usual array of viruses and other security issues--and neither is the
software that runs on it.
Last week, for instance, Microsoft said it resolved a potentially troublesome
security problem that would have affected online shoppers using the
Macintosh version of Internet Explorer. The company issued software that
fixes a glitch in the IE 4.5 Web browser which may have made
shopping via the Net a risky proposition if not fixed before Jan. 1,
The new Mac OS 9 security issue was first reported at the Macweek Web site.