Apple patches BIND DoS vulnerability
Apple has released a security update – 2009-004 for Mac OS X 10.5.8 Leopard and 10.4.11 Tiger, including server versions. According to Apple's notes the update only addresses one issue; a problem with BIND which made it possible to crash a BIND DNS server with a crafted dynamic update message. An exploit for the problem is publicly available. The denial of service issue is particularly sensitive because the attacker does not need to authenticate themselves and the server does not need to be specially configured to process the dynamic update packets, although the attack is only successful in systems where BIND has been set up as a master for a zone; slave zones are unaffected.
Apple has responded to the reporting of the problem within two weeks. This is an improvement over 2008, when a similar issue took over three weeks to be fixed. The security update comes a week after Mac OS X 10.5.8 was released, with a number of security fixes, and days after an update for Safari, which closed holes in the browser. The update is available to to download for Mac OS X 10.4.11 on PowerPC and Intel, Mac OS X Server 10.5.11 on PowerPC and Intel and for Mac OS X 10.5.8. It is also available from Apple's Support Downloads page and via Software Update.
- About Security Update 2009-004, details from Apple.