New Mac OS X Security Update patches dangerous DNS hole

[AppleInsider]

Apple late on Thursday offered up its fifth security update of 2008 to cover an industry-wide and potentially dangerous exploit of Domain Name System server access for spoofing attacks.

Security Update 2008-005 is available for client versions of Mac OS X Leopard (65MB) and Tiger (Intel, PowerPC) as well as Tiger Server (Intel, PowerPC).

Among the multiple fixes, the most essential is one for the Berkeley Internet Name Domain server feature in the operating system, or BIND. While not enabled by default, the service when switched on is potentially vulnerable to exploits of a fundamental flaw in the DNS system that helps govern the Internet protocol and translates website names (such as appleinsider.com) to IP addresses.

Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address. The Apple fix randomizes the source port for DNS information and so prevents an easy attack when BIND is active.

Other security updates are also rolled into the update and include guards against arbitrary code execution in CarbonCore, CoreGraphics, Data Detectors, Disk Utility, OpenLDAP, Open Scripting Architecture, OpenSSL, PHP, and rsync.

Mac OS X Leopard users are specifically affected by a potential exploit in the software's QuickLook feature and its handling of Microsoft Office files that could allow malicious code.

[ View this article at AppleInsider.com ]

[sc_markt]

Just installed it a few minutes ago.

[leafy]

Quote:

Originally Posted by sc_markt

Just installed it a few minutes ago.

This seems to be my first eventful system update. I used Software Update to fetch it. And it stuck for more than 30 minutes at about 10% into updating after the shutdown. Can't think of something to fix it yet.

[dadsgravy]

Banned

[sapporobaby]

Let the banning begin.....

[IAmMacUser]

If you want to be immature, I suggest going to the dell forums.

[allblue]

Does this flaw apply to Panther? Or has Apple officially abandoned us 10.3.9 ers?

[Abster2core]

Quote:

Originally Posted by allblue

Or has Apple officially abandoned us 10.3.9 ers?

Didn't you get the notice?

[Franck]

Quote:

Originally Posted by Abster2core

Didn't you get the notice?

At least not officially

[EyeNsteinNo]

Vista SP1 wasn't on the notice either.

[allblue]

Quote:

Originally Posted by Abster2core

Didn't you get the notice?

What? A couple of months ago there was a QuickTime update for us - but that was to make us ITS compatible. So Apple are happy to update us to try and make a bit more profit from their 10.3 customer base, but they are not prepared to secure that same system? Not good. I accept that this is a 5 year old system, but surely they have a moral (even legal?) responsibility to maintain the very minimal level of support required to keep their customers safe? A few pennies from their $1bn+ quarterly profits? I'm sure we would all enjoy being snotty if MS did the same thing, this is a very cynical stance from Apple.

[a_greer]

Quote:

Originally Posted by IAmMacUser

If you want to be immature, I suggest going to the dell forums.

The conpamy that sells windows and RHEL servers? both of which patched this bug weeks ago?

Yea, Dell isn't really immature, in fact, I am going to go out on a limb here and say that their OS choices for Servers are better than Apples for security sake. after this, and even before, you would be nuts to use apple servers running OSX Server for mission critical apps outside of FinalCut server and the 2 or 3 other mac only server apps.

[mcarling]

Quote:

Originally Posted by allblue

What? A couple of months ago there was a QuickTime update for us - but that was to make us ITS compatible. So Apple are happy to update us to try and make a bit more profit from their 10.3 customer base, but they are not prepared to secure that same system? Not good. I accept that this is a 5 year old system, but surely they have a moral (even legal?) responsibility to maintain the very minimal level of support required to keep their customers safe? A few pennies from their $1bn+ quarterly profits? I'm sure we would all enjoy being snotty if MS did the same thing, this is a very cynical stance from Apple.

Are you running a DNS server on a five year old system?

[allblue]

Quote:

Originally Posted by mcarling

Are you running a DNS server on a five year old system?

No. From the article: "Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address."

Are you saying that this flaw cannot affect my normal web-surfing?

Edit: I just read elsewhere that this flaw is only exploitable on servers - the AI article did not make this clear. In light of this I withdraw my gripe above!

[DanaCameron]

Quote:

Originally Posted by allblue

No. From the article: "Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address."

Are you saying that this flaw cannot affect my normal web-surfing?

Edit: I just read elsewhere that this flaw is only exploitable on servers - the AI article did not make this clear. In light of this I withdraw my gripe above!

Just curious, why have you kept your system at 10.3.9?

[allblue]

Quote:

Originally Posted by DanaCameron

Just curious, why have you kept your system at 10.3.9?

Rather dull explanation I'm afraid. My iMac G4800 came with 10.2, I happily bought 10.3 when it came out, but 10.4 didn't seem such a big thing. Plus, I have been teetering on the brink of buying a new machine for ages, but this one keeps ploughing away so I have got into that 'wait for the next update' rut!
I was thinking about getting 10.5, my machine was originally within the spec, but when it was released the spec had changed and I was out in the cold. Still, 10.3.9 is super stable, the only feature I would really like to add would be Spotlight. One added bonus is that when I do finally take the plunge with a Nehalem, 10.6, 24 (or even 30) inch iMac deluxe think how that will smoke...

[DanaCameron]

Quote:

Originally Posted by allblue

Rather dull explanation I'm afraid. My iMac G4800 came with 10.2, I happily bought 10.3 when it came out, but 10.4 didn't seem such a big thing. Plus, I have been teetering on the brink of buying a new machine for ages, but this one keeps ploughing away so I have got into that 'wait for the next update' rut!
I was thinking about getting 10.5, my machine was originally within the spec, but when it was released the spec had changed and I was out in the cold. Still, 10.3.9 is super stable, the only feature I would really like to add would be Spotlight. One added bonus is that when I do finally take the plunge with a Nehalem, 10.6, 24 (or even 30) inch iMac deluxe think how that will smoke...

I agree with you on the potential "smoke factor" of a Nehalem/10.6/massive iMac combination! I too am nursing along my trusty older Mac (though not quite as old as yours ) in anticipation of Apple's offerings next year. If your machine meets 10.4.x spec, you'd certainly do well to upgrade to Tiger. Tiger for me, and many, was (and for some still is) rock solid! You shouldn't lose any of the stability you've come to rely on, and you'd have the added benefit of Spotlight and Smart Folders (I can't remember if 10.3.9 had those). But if you don't NEED Spotlight right now, there's no harm in leaving well enough alone... at least for the next year or so.

[allblue]

Quote:

Originally Posted by DanaCameron

I agree with you on the potential "smoke factor" of a Nehalem/10.6/massive iMac combination! I too am nursing along my trusty older Mac (though not quite as old as yours ) in anticipation of Apple's offerings next year. If your machine meets 10.4.x spec, you'd certainly do well to upgrade to Tiger. Tiger for me, and many, was (and for some still is) rock solid! You shouldn't lose any of the stability you've come to rely on, and you'd have the added benefit of Spotlight and Smart Folders (I can't remember if 10.3.9 had those). But if you don't NEED Spotlight right now, there's no harm in leaving well enough alone... at least for the next year or so.

Part of my thinking is that this G4 iMac design is the most ergonomic desktop ever, and I also think that it is far more aesthetically pleasing than the current black/silver iteration. I will miss it when it is finally replaced. Also I just had the power supply replaced (5 1/2 years, fair enough) so I'm committed to seeing through to next year with this one. In light of that, I would be interested in upgrading to 10.4, particularly as so many apps are now 10.4 and up (Firefox 3 in particular), but Apple don't sell it any more, so I'm not sure about how to get a copy. Spotlight would be very useful now and I'd forgotten about Smart Folders, but how could I get a (legal) copy of Tiger? Any ideas?

[datamodel]

Quote:

Originally Posted by allblue

No. From the article: "Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address."

Are you saying that this flaw cannot affect my normal web-surfing?

Edit: I just read elsewhere that this flaw is only exploitable on servers - the AI article did not make this clear. In light of this I withdraw my gripe above!

Yep, AI was pretty misleading - patching desktop machines has no impact whatsoever on whether they're vulnerable to the exploit. It's whether the DNS servers they resolve from are patched.

So this is great for those people running OSX or OSX Server as DNS servers, the rest of us need to check/hope that our ISP's done their patching. or use opendns.org, which has...

Cheers,

Martin.

[bluesystem]

I run into the same issue, using automatic updates. To solve it I manually grabbed the update file from Apple's download page and the installation finished without hiccups.

Quote:

Originally Posted by leafy

This seems to be my first eventful system update. I used Software Update to fetch it. And it stuck for more than 30 minutes at about 10% into updating after the shutdown. Can't think of something to fix it yet.

[DanaCameron]

Quote:

Originally Posted by allblue

Part of my thinking is that this G4 iMac design is the most ergonomic desktop ever, and I also think that it is far more aesthetically pleasing than the current black/silver iteration. I will miss it when it is finally replaced. Also I just had the power supply replaced (5 1/2 years, fair enough) so I'm committed to seeing through to next year with this one. In light of that, I would be interested in upgrading to 10.4, particularly as so many apps are now 10.4 and up (Firefox 3 in particular), but Apple don't sell it any more, so I'm not sure about how to get a copy. Spotlight would be very useful now and I'd forgotten about Smart Folders, but how could I get a (legal) copy of Tiger? Any ideas?

A quick Google search revealed multiple hits of Mac OS X Tiger for sale (e.g., at Amazon.com, Studica.com among others) for a little over $100. You may need to shop around for the best price and most-legitimate source.

[aresee]

Quote:

Originally Posted by DanaCameron

Just curious, why have you kept your system at 10.3.9?

My 75 year old mother is staying at 10.3.9. Why, her eyesight is failing and she finds learning new things to very difficult. As long as things don't break we don't change.

[chunky harlem steamer]

Quote:

Originally Posted by IAmMacUser

If you want to be immature, I suggest going to the dell forums.

Whatever. It was a joke. I guess not as good as your dell joke. There is no humor in a dangerous DNS hole. None whatsoever.

[leafy]

Quote:

Originally Posted by bluesystem

I run into the same issue, using automatic updates. To solve it I manually grabbed the update file from Apple's download page and the installation finished without hiccups.

I did the same thing by the end of the day and it worked too. The weird thing is that software update patch had to be run after shutdown, but the downloaded bundle ran straight while I am still using the computer.

[Mr. H]

oops…