New Mac OS X Security Update patches dangerous DNS hole
Apple late on Thursday offered up its fifth security update of 2008 to cover an industry-wide and potentially dangerous exploit of Domain Name System server access for spoofing attacks.
Security Update 2008-005 is available for client versions of Mac OS X Leopard (65MB) and Tiger (Intel, PowerPC) as well as Tiger Server (Intel, PowerPC).
Among the multiple fixes, the most essential is one for the Berkeley Internet Name Domain server feature in the operating system, or BIND. While not enabled by default, the service when switched on is potentially vulnerable to exploits of a fundamental flaw in the DNS system that helps govern the Internet protocol and translates website names (such as appleinsider.com) to IP addresses.
Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address. The Apple fix randomizes the source port for DNS information and so prevents an easy attack when BIND is active.
Other security updates are also rolled into the update and include guards against arbitrary code execution in CarbonCore, CoreGraphics, Data Detectors, Disk Utility, OpenLDAP, Open Scripting Architecture, OpenSSL, PHP, and rsync.
Mac OS X Leopard users are specifically affected by a potential exploit in the software's QuickLook feature and its handling of Microsoft Office files that could allow malicious code.
Security Update 2008-005 is available for client versions of Mac OS X Leopard (65MB) and Tiger (Intel, PowerPC) as well as Tiger Server (Intel, PowerPC).
Among the multiple fixes, the most essential is one for the Berkeley Internet Name Domain server feature in the operating system, or BIND. While not enabled by default, the service when switched on is potentially vulnerable to exploits of a fundamental flaw in the DNS system that helps govern the Internet protocol and translates website names (such as appleinsider.com) to IP addresses.
Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address. The Apple fix randomizes the source port for DNS information and so prevents an easy attack when BIND is active.
Other security updates are also rolled into the update and include guards against arbitrary code execution in CarbonCore, CoreGraphics, Data Detectors, Disk Utility, OpenLDAP, Open Scripting Architecture, OpenSSL, PHP, and rsync.
Mac OS X Leopard users are specifically affected by a potential exploit in the software's QuickLook feature and its handling of Microsoft Office files that could allow malicious code.
Comments
Just installed it a few minutes ago.
This seems to be my first eventful system update. I used Software Update to fetch it. And it stuck for more than 30 minutes at about 10% into updating after the shutdown. Can't think of something to fix it yet.
Or has Apple officially abandoned us 10.3.9 ers?
Didn't you get the notice?
Didn't you get the notice?
At least not officially
Didn't you get the notice?
What? A couple of months ago there was a QuickTime update for us - but that was to make us ITS compatible. So Apple are happy to update us to try and make a bit more profit from their 10.3 customer base, but they are not prepared to secure that same system? Not good. I accept that this is a 5 year old system, but surely they have a moral (even legal?) responsibility to maintain the very minimal level of support required to keep their customers safe? A few pennies from their $1bn+ quarterly profits? I'm sure we would all enjoy being snotty if MS did the same thing, this is a very cynical stance from Apple.
If you want to be immature, I suggest going to the dell forums.
The conpamy that sells windows and RHEL servers? both of which patched this bug weeks ago?
Yea, Dell isn't really immature, in fact, I am going to go out on a limb here and say that their OS choices for Servers are better than Apples for security sake. after this, and even before, you would be nuts to use apple servers running OSX Server for mission critical apps outside of FinalCut server and the 2 or 3 other mac only server apps.
What? A couple of months ago there was a QuickTime update for us - but that was to make us ITS compatible. So Apple are happy to update us to try and make a bit more profit from their 10.3 customer base, but they are not prepared to secure that same system? Not good. I accept that this is a 5 year old system, but surely they have a moral (even legal?) responsibility to maintain the very minimal level of support required to keep their customers safe? A few pennies from their $1bn+ quarterly profits? I'm sure we would all enjoy being snotty if MS did the same thing, this is a very cynical stance from Apple.
Are you running a DNS server on a five year old system?
Are you running a DNS server on a five year old system?
No. From the article: "Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address."
Are you saying that this flaw cannot affect my normal web-surfing?
Edit: I just read elsewhere that this flaw is only exploitable on servers - the AI article did not make this clear. In light of this I withdraw my gripe above!
No. From the article: "Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address."
Are you saying that this flaw cannot affect my normal web-surfing?
Edit: I just read elsewhere that this flaw is only exploitable on servers - the AI article did not make this clear. In light of this I withdraw my gripe above!
Just curious, why have you kept your system at 10.3.9?
Just curious, why have you kept your system at 10.3.9?
Rather dull explanation I'm afraid. My iMac G4800 came with 10.2, I happily bought 10.3 when it came out, but 10.4 didn't seem such a big thing. Plus, I have been teetering on the brink of buying a new machine for ages, but this one keeps ploughing away so I have got into that 'wait for the next update' rut!
I was thinking about getting 10.5, my machine was originally within the spec, but when it was released the spec had changed and I was out in the cold. Still, 10.3.9 is super stable, the only feature I would really like to add would be Spotlight. One added bonus is that when I do finally take the plunge with a Nehalem, 10.6, 24 (or even 30) inch iMac deluxe think how that will smoke...
Rather dull explanation I'm afraid. My iMac G4800 came with 10.2, I happily bought 10.3 when it came out, but 10.4 didn't seem such a big thing. Plus, I have been teetering on the brink of buying a new machine for ages, but this one keeps ploughing away so I have got into that 'wait for the next update' rut!
I was thinking about getting 10.5, my machine was originally within the spec, but when it was released the spec had changed and I was out in the cold. Still, 10.3.9 is super stable, the only feature I would really like to add would be Spotlight. One added bonus is that when I do finally take the plunge with a Nehalem, 10.6, 24 (or even 30) inch iMac deluxe think how that will smoke...
I agree with you on the potential "smoke factor" of a Nehalem/10.6/massive iMac combination! I too am nursing along my trusty older Mac (though not quite as old as yours
I agree with you on the potential "smoke factor" of a Nehalem/10.6/massive iMac combination! I too am nursing along my trusty older Mac (though not quite as old as yours
Part of my thinking is that this G4 iMac design is the most ergonomic desktop ever, and I also think that it is far more aesthetically pleasing than the current black/silver iteration. I will miss it when it is finally replaced. Also I just had the power supply replaced (5 1/2 years, fair enough) so I'm committed to seeing through to next year with this one. In light of that, I would be interested in upgrading to 10.4, particularly as so many apps are now 10.4 and up (Firefox 3 in particular), but Apple don't sell it any more, so I'm not sure about how to get a copy. Spotlight would be very useful now and I'd forgotten about Smart Folders, but how could I get a (legal) copy of Tiger? Any ideas?
No. From the article: "Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address."
Are you saying that this flaw cannot affect my normal web-surfing?
Edit: I just read elsewhere that this flaw is only exploitable on servers - the AI article did not make this clear. In light of this I withdraw my gripe above!
Yep, AI was pretty misleading - patching desktop machines has no impact whatsoever on whether they're vulnerable to the exploit. It's whether the DNS servers they resolve from are patched.
So this is great for those people running OSX or OSX Server as DNS servers, the rest of us need to check/hope that our ISP's done their patching. or use opendns.org, which has...
Cheers,
Martin.
This seems to be my first eventful system update. I used Software Update to fetch it. And it stuck for more than 30 minutes at about 10% into updating after the shutdown. Can't think of something to fix it yet.
Part of my thinking is that this G4 iMac design is the most ergonomic desktop ever, and I also think that it is far more aesthetically pleasing than the current black/silver iteration. I will miss it when it is finally replaced. Also I just had the power supply replaced (5 1/2 years, fair enough) so I'm committed to seeing through to next year with this one. In light of that, I would be interested in upgrading to 10.4, particularly as so many apps are now 10.4 and up (Firefox 3 in particular), but Apple don't sell it any more, so I'm not sure about how to get a copy. Spotlight would be very useful now and I'd forgotten about Smart Folders, but how could I get a (legal) copy of Tiger? Any ideas?
A quick Google search revealed multiple hits of Mac OS X Tiger for sale (e.g., at Amazon.com, Studica.com among others) for a little over $100. You may need to shop around for the best price and most-legitimate source.