|[8:00 AM] Apple Moves At Internet Speeds To Squash Denial Of Service Bug In Mac OS 9
Apple has moved at blinding speeds normally only seen in the Open Source community to squash an exploit in Mac OS 9 (and Mac OS 8.6 with some Mac models). Reported yesterday by MacInTouch, and initially discovered by Professor John Copeland of the Georgia Institute of Technology, this exploit makes it possible to launch a "Denial of Service" (DOS) attack using Macs in part of the attack. A DOS attack is any Internet based attack that is designed to simply deny service to the targeted victim. From Professor Copeland's FAQ on this issue:
Q. What is the "Attack Phase."
A. In the attack phase a computer on the Internet, probably a LINUX or UNIX machine, will send "trigger datagrams" to 40 or more OS 9 Macintoshes (slaves) in rapid secession. The trigger datagrams have a false source address, that of a computer in the target organization. This causes all the slaves to send a rapid steady stream of 1500-byte ICMP packets at the target organization.
Q. How would an attacker know that my Mac is connected to the Internet?
A. The attacker uses a "scan" program that sends probe datagrams (Internet data packets) to every address assigned to a company that supplies cable modem or ADSL services. The OS 9 Macintoshes respond to the probe datagram with a distinctive 1500-byte ICMP datagram that includes their Internet addresses. The attacker builds up a list of addresses that are used later in the Attack Phase.
Q. Will my Macintosh be damaged?
A. The Macintosh used will not be damaged. You may not even notice it is being used. Once Apple publicly releases the "OT Tuner" that fixes the problem, you may be legally liable for making it possible for a cyber-terrorist to use your computer to attack someone else, if you do not apply the fix and still leave your Macintosh connected to the Internet.
MacInTouch has assembled a special report on this issue that contains other information.
Unlike some other mainstream operating system manufacturers who can move very slowly to fix these types of exploits, Apple had moved by the end of the day yesterday to release a patch that will fix this problem. The patch is called OT Tuner 1.0 and is absolutely recommended for all Mac OS 9 users and Mac OS 8.6 users on PowerMac G4s, iBooks, or iMac DV models (including the 350 MHz iMac, and 400 MHz iMac DV Special Edition). From the update page on Apple's web site:
OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS) issues.
To install, drag the OT Tuner 1.0 file to the System Folder (the tuner will be put in the extensions folder for you). Then restart your Macintosh.
Mac OS 9; Mac OS 8.6 for PowerMacintosh G4, iBook, and iMac (Slot-loading) computers.
Note: This is only for Mac OS 8.6 if you have one of the three computers mentioned above. It is for all Mac OS 9 users.
Open Transport 2.5.2
Any Macintosh computer capable of running Mac OS 9
This software consists of a self-mounting Disk Copy compressed image (.smi) file. Download this software to your hard drive and then double-click it to use it. You do not need Disk Copy to access .smi files.
You can download the patch directly from Apple's web site on the OT Tuner 1.0 web page.
The Mac Observer Spin: These types of exploits have been part and parcel of the Windows and linux worlds for years. At the same time, there have been very few such issues for Macs. In the Open Source community, due to the very nature of the users, patches to fix various exploits have often been released the same day, sometimes within a few hours, as the exploit or bug was found. Microsoft, on the other hand, has often been very slow to correct many of the tons of security holes that plague Windows 9x and Windows NT. With this in mind, it is great to see Apple taking such an issue seriously and move so quickly to fix it.