Apple patches OS 9 security hole

Apple late Tuesday released a patch for Mac OS 9's Open Transport networking protocol to correct a "flaw" that leaves Macs vulnerable to hackers who could enlist the computers over an Internet connection in distributed denial-of-service (DOS) attacks without the users' knowledge.The flaw was discovered by Professor John Copeland of the Georgia Institute of Technology, who heads that school's School of Electrical and Computer Engineering.

Apple late Tuesday released a patch for Mac OS 9's Open Transport networking protocol to correct a "flaw" that leaves Macs vulnerable to hackers who could enlist the computers over an Internet connection in distributed denial-of-service (DOS) attacks without the users' knowledge.

The flaw was discovered by Professor John Copeland of the Georgia Institute of Technology, who heads that school's School of Electrical and Computer Engineering. Only Macs that are running Mac OS 9 and are attached to "always-on" Internet connections, such as digital subscriber lines (DSL) and cable modems, are vulnerable, Copeland said.

In an advisory from Carnegie Mellon University's computer security center, Apple acknowledged earlier today that it "reproduced the problem" and was "moving quickly to put a solution in place." Hours later Apple posted the patch, Open Transport Tuner 1.0, on its Software Updates Web page.

Copeland told MacWEEK that attackers can "scan" cable or DSL networks for computers running Mac OS 9; these Macs can then be sent a small (29-byte) packet of data, which Mac OS 9 replies to with a 1,500-byte datagram.

"This appears to be the way Mac OS 9 explores an Internet route," Copeland said. Attackers can then send "trigger datagrams" with a false source address (that of their target) to a large number of Mac OS 9 computers. If these triggers are sent in rapid succession, Copeland said, the "amplified" responses can overwhelm the target's Internet connection, denying service to that target.

Although DOS attacks are a fact of life on the Internet, "it's much harder to stop a distributed attack," Copeland said, because the sources of the attack aren't even aware of their part in it, even as it occurs.

Prior to Apple's (Nasdaq:AAPL) release of the patch, the only sure defense against this exploit was to turn off or disconnect their computers from their Internet connection, Copeland said.

"I've seen scans of this nature but no attacks yet," said Copeland, who posted online warnings of this type of DOS attack on New Year's Eve. However, Copeland told MacWEEK his warnings are "pure speculation."