New Mac OS X Security Update patches dangerous DNS hole

Posted:
in macOS edited January 2014
Apple late on Thursday offered up its fifth security update of 2008 to cover an industry-wide and potentially dangerous exploit of Domain Name System server access for spoofing attacks.



Security Update 2008-005 is available for client versions of Mac OS X Leopard (65MB) and Tiger (Intel, PowerPC) as well as Tiger Server (Intel, PowerPC).



Among the multiple fixes, the most essential is one for the Berkeley Internet Name Domain server feature in the operating system, or BIND. While not enabled by default, the service when switched on is potentially vulnerable to exploits of a fundamental flaw in the DNS system that helps govern the Internet protocol and translates website names (such as appleinsider.com) to IP addresses.



Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address. The Apple fix randomizes the source port for DNS information and so prevents an easy attack when BIND is active.



Other security updates are also rolled into the update and include guards against arbitrary code execution in CarbonCore, CoreGraphics, Data Detectors, Disk Utility, OpenLDAP, Open Scripting Architecture, OpenSSL, PHP, and rsync.



Mac OS X Leopard users are specifically affected by a potential exploit in the software's QuickLook feature and its handling of Microsoft Office files that could allow malicious code.
«1

Comments

  • Reply 1 of 24
    sc_marktsc_markt Posts: 1,401member
    Just installed it a few minutes ago.
  • Reply 2 of 24
    leafyleafy Posts: 34member
    Quote:
    Originally Posted by sc_markt View Post


    Just installed it a few minutes ago.



    This seems to be my first eventful system update. I used Software Update to fetch it. And it stuck for more than 30 minutes at about 10% into updating after the shutdown. Can't think of something to fix it yet.
  • Reply 3 of 24
    Banned
  • Reply 4 of 24
    sapporobabysapporobaby Posts: 1,079member
    Let the banning begin.....
  • Reply 5 of 24
    If you want to be immature, I suggest going to the dell forums.
  • Reply 6 of 24
    allblueallblue Posts: 393member
    Does this flaw apply to Panther? Or has Apple officially abandoned us 10.3.9 ers?
  • Reply 7 of 24
    abster2coreabster2core Posts: 2,501member
    Quote:
    Originally Posted by allblue View Post


    Or has Apple officially abandoned us 10.3.9 ers?



    Didn't you get the notice?
  • Reply 8 of 24
    franckfranck Posts: 135member
    Quote:
    Originally Posted by Abster2core View Post


    Didn't you get the notice?



    At least not officially
  • Reply 9 of 24
    Vista SP1 wasn't on the notice either.
  • Reply 10 of 24
    allblueallblue Posts: 393member
    Quote:
    Originally Posted by Abster2core View Post


    Didn't you get the notice?



    What? A couple of months ago there was a QuickTime update for us - but that was to make us ITS compatible. So Apple are happy to update us to try and make a bit more profit from their 10.3 customer base, but they are not prepared to secure that same system? Not good. I accept that this is a 5 year old system, but surely they have a moral (even legal?) responsibility to maintain the very minimal level of support required to keep their customers safe? A few pennies from their $1bn+ quarterly profits? I'm sure we would all enjoy being snotty if MS did the same thing, this is a very cynical stance from Apple.
  • Reply 11 of 24
    a_greera_greer Posts: 4,594member
    Quote:
    Originally Posted by IAmMacUser View Post


    If you want to be immature, I suggest going to the dell forums.



    The conpamy that sells windows and RHEL servers? both of which patched this bug weeks ago?



    Yea, Dell isn't really immature, in fact, I am going to go out on a limb here and say that their OS choices for Servers are better than Apples for security sake. after this, and even before, you would be nuts to use apple servers running OSX Server for mission critical apps outside of FinalCut server and the 2 or 3 other mac only server apps.
  • Reply 12 of 24
    mcarlingmcarling Posts: 1,106member
    Quote:
    Originally Posted by allblue View Post


    What? A couple of months ago there was a QuickTime update for us - but that was to make us ITS compatible. So Apple are happy to update us to try and make a bit more profit from their 10.3 customer base, but they are not prepared to secure that same system? Not good. I accept that this is a 5 year old system, but surely they have a moral (even legal?) responsibility to maintain the very minimal level of support required to keep their customers safe? A few pennies from their $1bn+ quarterly profits? I'm sure we would all enjoy being snotty if MS did the same thing, this is a very cynical stance from Apple.



    Are you running a DNS server on a five year old system?
  • Reply 13 of 24
    allblueallblue Posts: 393member
    Quote:
    Originally Posted by mcarling View Post


    Are you running a DNS server on a five year old system?



    No. From the article: "Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address."



    Are you saying that this flaw cannot affect my normal web-surfing?



    Edit: I just read elsewhere that this flaw is only exploitable on servers - the AI article did not make this clear. In light of this I withdraw my gripe above!
  • Reply 14 of 24
    Quote:
    Originally Posted by allblue View Post


    No. From the article: "Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address."



    Are you saying that this flaw cannot affect my normal web-surfing?



    Edit: I just read elsewhere that this flaw is only exploitable on servers - the AI article did not make this clear. In light of this I withdraw my gripe above!



    Just curious, why have you kept your system at 10.3.9?
  • Reply 15 of 24
    allblueallblue Posts: 393member
    Quote:
    Originally Posted by DanaCameron View Post


    Just curious, why have you kept your system at 10.3.9?



    Rather dull explanation I'm afraid. My iMac G4800 came with 10.2, I happily bought 10.3 when it came out, but 10.4 didn't seem such a big thing. Plus, I have been teetering on the brink of buying a new machine for ages, but this one keeps ploughing away so I have got into that 'wait for the next update' rut!

    I was thinking about getting 10.5, my machine was originally within the spec, but when it was released the spec had changed and I was out in the cold. Still, 10.3.9 is super stable, the only feature I would really like to add would be Spotlight. One added bonus is that when I do finally take the plunge with a Nehalem, 10.6, 24 (or even 30) inch iMac deluxe think how that will smoke...
  • Reply 16 of 24
    Quote:
    Originally Posted by allblue View Post


    Rather dull explanation I'm afraid. My iMac G4800 came with 10.2, I happily bought 10.3 when it came out, but 10.4 didn't seem such a big thing. Plus, I have been teetering on the brink of buying a new machine for ages, but this one keeps ploughing away so I have got into that 'wait for the next update' rut!

    I was thinking about getting 10.5, my machine was originally within the spec, but when it was released the spec had changed and I was out in the cold. Still, 10.3.9 is super stable, the only feature I would really like to add would be Spotlight. One added bonus is that when I do finally take the plunge with a Nehalem, 10.6, 24 (or even 30) inch iMac deluxe think how that will smoke...



    I agree with you on the potential "smoke factor" of a Nehalem/10.6/massive iMac combination! I too am nursing along my trusty older Mac (though not quite as old as yours ) in anticipation of Apple's offerings next year. If your machine meets 10.4.x spec, you'd certainly do well to upgrade to Tiger. Tiger for me, and many, was (and for some still is) rock solid! You shouldn't lose any of the stability you've come to rely on, and you'd have the added benefit of Spotlight and Smart Folders (I can't remember if 10.3.9 had those). But if you don't NEED Spotlight right now, there's no harm in leaving well enough alone... at least for the next year or so.
  • Reply 17 of 24
    allblueallblue Posts: 393member
    Quote:
    Originally Posted by DanaCameron View Post


    I agree with you on the potential "smoke factor" of a Nehalem/10.6/massive iMac combination! I too am nursing along my trusty older Mac (though not quite as old as yours ) in anticipation of Apple's offerings next year. If your machine meets 10.4.x spec, you'd certainly do well to upgrade to Tiger. Tiger for me, and many, was (and for some still is) rock solid! You shouldn't lose any of the stability you've come to rely on, and you'd have the added benefit of Spotlight and Smart Folders (I can't remember if 10.3.9 had those). But if you don't NEED Spotlight right now, there's no harm in leaving well enough alone... at least for the next year or so.



    Part of my thinking is that this G4 iMac design is the most ergonomic desktop ever, and I also think that it is far more aesthetically pleasing than the current black/silver iteration. I will miss it when it is finally replaced. Also I just had the power supply replaced (5 1/2 years, fair enough) so I'm committed to seeing through to next year with this one. In light of that, I would be interested in upgrading to 10.4, particularly as so many apps are now 10.4 and up (Firefox 3 in particular), but Apple don't sell it any more, so I'm not sure about how to get a copy. Spotlight would be very useful now and I'd forgotten about Smart Folders, but how could I get a (legal) copy of Tiger? Any ideas?
  • Reply 18 of 24
    datamodeldatamodel Posts: 126member
    Quote:
    Originally Posted by allblue View Post


    No. From the article: "Any computer left exposed and unpatched against the attack, regardless of operating system, can have its DNS cache "poisoned," tricking the computer into visiting a malicious website even when the user chooses to visit what would normally be a legitimate address."



    Are you saying that this flaw cannot affect my normal web-surfing?



    Edit: I just read elsewhere that this flaw is only exploitable on servers - the AI article did not make this clear. In light of this I withdraw my gripe above!



    Yep, AI was pretty misleading - patching desktop machines has no impact whatsoever on whether they're vulnerable to the exploit. It's whether the DNS servers they resolve from are patched.



    So this is great for those people running OSX or OSX Server as DNS servers, the rest of us need to check/hope that our ISP's done their patching. or use opendns.org, which has...



    Cheers,



    Martin.
  • Reply 19 of 24
    I run into the same issue, using automatic updates. To solve it I manually grabbed the update file from Apple's download page and the installation finished without hiccups.



    Quote:
    Originally Posted by leafy View Post


    This seems to be my first eventful system update. I used Software Update to fetch it. And it stuck for more than 30 minutes at about 10% into updating after the shutdown. Can't think of something to fix it yet.



  • Reply 20 of 24
    Quote:
    Originally Posted by allblue View Post


    Part of my thinking is that this G4 iMac design is the most ergonomic desktop ever, and I also think that it is far more aesthetically pleasing than the current black/silver iteration. I will miss it when it is finally replaced. Also I just had the power supply replaced (5 1/2 years, fair enough) so I'm committed to seeing through to next year with this one. In light of that, I would be interested in upgrading to 10.4, particularly as so many apps are now 10.4 and up (Firefox 3 in particular), but Apple don't sell it any more, so I'm not sure about how to get a copy. Spotlight would be very useful now and I'd forgotten about Smart Folders, but how could I get a (legal) copy of Tiger? Any ideas?



    A quick Google search revealed multiple hits of Mac OS X Tiger for sale (e.g., at Amazon.com, Studica.com among others) for a little over $100. You may need to shop around for the best price and most-legitimate source.
Sign In or Register to comment.