Customers who have installed Mac OS 9 are susceptible to being used in "denial of service" attacks from malicious programmers if their computer is hooked up to the Internet via "always on" digital subscriber line (DSL) or cable modem connections.
The computer expert who discovered the flaw said that it does not appear that Mac computers themselves are being shut down by attacks, but that they merely are capable of being used as pawns to harm other computers.
Dr. John Copeland, who chairs the Georgia Institute of Technology's School of Electrical and Computer Engineering, said the correction for the flaw needs to be applied before New Year's Eve in order to prevent the Macs from being used to attack other computers. As previously reported by CNET News.com, security experts have warned of a possible concerted effort to attack computers on New Year's Eve.
Apple has already issued a fix for the problem at its Web site.
Carnegie Mellon University's Computer Emergency Response Team (CERT) said in an advisory note that "Intruders can flood networks with overwhelming amounts of traffic or cause machines to crash or otherwise become unstable."
It does not appear that any computers have yet to be used in such attacks; CERT merely reported that such an attack was possible.
Cupertino, Calif.-based Apple said in a posted reply to the CERT team: "We've reproduced the problem in our labs. The problem only affects customers running our most recent release of networking software on machines that are continuously attached to the Internet."
"Apple is aware of the CERT advisory and has taken steps to address it," confirmed an Apple spokesman. "While we believe the potential risks to our customers is extremely small, we have worked quickly to provide the latest and most secure software to Mac users," he said.
In addition to being able to download the fix and installing the software themselves, Mac OS 9 is capable of automatically updating itself with this fix as it becomes available later on specialized Apple servers, but only when the feature is enabled by the user.
Most Macintosh customers are not affected by this problem, Apple said.
Denial of service attacks aren't new, but there has been a sudden surge in them. Recently, two new families of attacking programs, called the "Tribe Flood Network" and "Trinoo" were identified by experts. Computer experts believe that some attacks are timed to go off when the century turns.
Generally, denial of service attacks work like this: An attacker secretly embeds software into hundreds of unwitting computers. Then, at a selected time, a command is issued that prompts the infected computers to swamp a target Web site or server with messages in a method of attack called "denial of service." The program doesn't damage the "infected" carrier computers or the target, but the sudden flood of messages typically knocks out the target system.
The flaw in the Apple networking software, called Open Transport, could allow an outsider to use a targeted Mac computer as a carrier.
Although it's possible for target computers to protect themselves from denial-of-service attacks by ignoring messages, it's hard to identify which computers are attacking them--especially when there are hundreds. This fundamental vulnerability of networked computers makes protecting against denial-of-service attacks extremely difficult.
A study released earlier this year reported that computer security breaches were up 16 percent from 1996 to 1997, and that computer-related crime, including security breaches, had cost 241 surveyed organizations $136 million last year.
Users of Macintosh computers, in general, have had fewer security issues to deal with over the last few years, in part because there were simply more Windows-based computers to target. But the system itself isn't impervious to the usual array of viruses and other security issues--and neither is the software that runs on it.
Last week, for instance, Microsoft said it resolved a potentially troublesome security problem that would have affected online shoppers using the Macintosh version of Internet Explorer. The company issued software that fixes a glitch in the IE 4.5 Web browser which may have made shopping via the Net a risky proposition if not fixed before Jan. 1, 2000.
The new Mac OS 9 security issue was first reported at the Macweek Web site.