Recent Software Flaws Bite Into Apple’s Security

Enthusiastic Macintosh owners brag that the digital plagues of worms, viruses and Trojan horses so common to Microsoft Corp.’s Windows operating system rarely visit their sleek machines.

It may be, though, that Apple doesn’t fall too far from the PC. Three times this month, Apple Computer Inc. has been accused of failing to warn Mac owners of serious flaws in their software.

In the most recent instance, users of Apple’s OS X operating system could have data deleted or stolen if they follow an e-mail link to websites built by hackers. At the sites, PCs can be compromised by malicious code.

The vulnerability received attention this week on electronic bulletin boards covering Apple topics. Amateurs have posted directions for changing the OS X settings targeted by the attack.

Responding to questions from The Times on Thursday, Apple said in a statement that it was “actively investigating this potential security issue.”

Software companies constantly weigh the pros and cons of publicizing problems and publishing patches for their products. In the past, Microsoft has been excoriated for being slow to fix holes in Windows, which powers most of the world’s personal computers.

That omnipresence is what makes Windows such a tempting target to hackers. Because Apple produces fewer than 5% of the world’s computers, Apple flaws often receive less attention on security sites and e-mail lists.

The recent discoveries of flaws in Mac software comprise “the most serious issues being found at one time” in the company’s history, said Chris Wysopal, vice president of security consulting firm AtStake Inc.

This month, an independent security site identified another flaw that let attackers take control of machines if users played malicious QuickTime videos.

Apple eventually released a patch -- programming that mends holes in software -- but described it only as a fix for potential system crashes, according to the site, Eeye Digital Security Inc.

“Apple is doing a disservice to its customers by incorrectly labeling this vulnerability,” Eeye wrote when it publicized the hole and the patch for it.

Said Eeye Chief Operating Officer Firas Raouf, “I think that they’re starting to play games.”

Another security problem -- the hijacking of computers through the settings on Macs for sharing files -- was patched this month after its discovery by AtStake. On its website, Apple said the fix was “to improve the handling of long passwords.”

Asked whether Apple should tell customers how to protect their machines from attack, William Allen, who designs Symantec Corp. anti-virus programs for the Macintosh, said, “That’s certainly polite.”