Apple eliminates DNS server vulnerability under Mac OS X
Apple has released Security Update 2008-005 for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4 and Mac OS X Server v10.5.4, which, along with other fixes, eliminates the vulnerability of recursive name servers to cache poisoning. BIND is updated to version 9.3.5-P1 under Mac OS X 10.4.11, and to version 9.4.2-P1 under Mac OS X 10.5.4. It has taken Apple more than three weeks from the point at which the official patch was available to issue these BIND updates. Apple didn't even think it necessary to issue a warning to its customers.
Users should now install the update as soon as possible, in order to immunise their servers against the attacks that are already going on. This also applies to those who are vulnerable, but are not yet under active attack. Although, according to ISC, server performance may be degraded by P1, a slow server is better than a vulnerable one. By the end of this week, the ISC will release P2 for BIND, which it hopes will solve the performance problem. It remains to be seen how long Apple will take to deliver it.
Besides the name server problem, the update sorts out still more errors. These include critical holes in PHP 5.2.5 – although this is only supplied with Leopard – as well as QuickLook, OpenSSL, CarbonCore and CoreGraphics. The errors in CoreGraphics enable attackers to insert code into a system and run it, for example using crafted PDF documents. QuickLook can similarly be attacked using manipulated Office documents. With this update, Apple has also closed the hole in the Open Scripting Architecture in connection with ARDAgent that made it easier for potential attackers to obtain root rights to a system.
Less critical errors in rsync, OpenLDAP, Disk Utility and the Data Detectors Engine, which usually only caused the system to crash, are also ironed out by the update, which is available for download now. Depending on the target platform, it contains between 65 and 143 MB.
- About Security Update 2008-005, vulnerability report from Apple
- ISC statement about BIND9's recent -P1 releases, statement by Paul Vixie
- DNS Attack Writer a Victim of His Own Creation, report by PC World
- DNS hole - no patch yet from Apple
- DNS vulnerability exploits released
- DNS security problem details released
- Massive DNS security problem endangers the internet