Thursday, July 31, 2008, 11:40 pm
New Mac OS X Security Update patches dangerous DNS holeApple late on Thursday offered up its fifth security update of 2008 to cover an industry-wide and potentially dangerous exploit of Domain Name System server access for spoofing attacks.
Security Update 2008-005 is available for client versions of Mac OS X Leopard (65MB) and Tiger (Intel, PowerPC) as well as Tiger Server (Intel, PowerPC).
Among the multiple fixes, the most essential is one for the Berkeley Internet Name Domain server feature in the operating system, or BIND. While not enabled by default, the service when switched on is potentially vulnerable to exploits of a fundamental flaw in the DNS system that helps govern the Internet protocol and translates website names (such as appleinsider.com) to IP addresses.
Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address. The Apple fix randomizes the source port for DNS information and so prevents an easy attack when BIND is active.
Other security updates are also rolled into the update and include guards against arbitrary code execution in CarbonCore, CoreGraphics, Data Detectors, Disk Utility, OpenLDAP, Open Scripting Architecture, OpenSSL, PHP, and rsync.
Mac OS X Leopard users are specifically affected by a potential exploit in the software's QuickLook feature and its handling of Microsoft Office files that could allow malicious code.