Skip to Content

Free TUAW iPhone app -- try it now!
AOL Tech

bind posts

Filed under: OS, Open Source, Security

10.5.5 update fixes DNS vulnerability

by Robert Palmer (RSS feed) on Sep 16th, 2008

Apple's Mac OS X 10.5.5 update (and Security Update 2008-006) fixes a critical DNS vulnerability that could allow attackers to trick victims into visiting malicious Web sites using what's known as a "cache poisoning attack." We wrote about the vulnerability in August.

Although Apple's release notes say BIND was updated "to address performance issues," the update also delivers the promised address port randomization that protects users from such cache poisoning attacks. The original patch offered protection for Apple's servers but did not completely protect client systems.

Apple's updates fixed flaws in several applications and system components, including some that attackers could use to run unauthorized software on a user's computer.

[Via IDG.]

Tags: 10.5.5, bind, cache, dns, nyt, poisoning, security

Filed under: Software Update, Security

Apple Security fix includes BIND update

by Brett Terpstra (RSS feed) on Aug 1st, 2008

Yesterday, shortly after I read TidBITS' post on securing the DNS flaw that Apple had ignored for a while, Apple released a security fix which finally took care of the situation. This comes 3 weeks after the security industry began taking matters into their own hands. This fix does overwrite the files updated in the TidBITs post on manually correcting the issue, mentioned above.

In Apple's notes on the update, they mention fixes for:

  • Open Scripting Architecture, which addresses the ARDAgent issue which allowed Trojan Horses and non-administrator users to gain root access
  • The aforementioned BIND issue which allowed for DNS poisoning (allowing malicious websites to forge their identity)
  • A CarbonCore stack buffer overflow which allowed for arbitrary code execution
  • A CoreGraphics memory corruption issue and a CoreGraphics PDF weakness, both allowing for arbitrary code execution
  • A Data Detectors issue which could be exploited for [DOS](http://en.wikipedia.org/wiki/Denial-of-service_attack) attacks
  • A Repair Permissions/emacs exploit in Disk Utility
  • An LDAP weakness
  • An OpenSSL weakness
  • Multiple PHP vulnerabilities
  • A flaw in QuickLook's handling of maliciously crafted Microsoft Office files
  • An issue with rsync's handling of symbolic links

Some of those had been reported, some I hadn't heard about previously, but I'm certainly feeling more secure this morning.

[via Macworld]

Tags: apple, BIND, DNS, Leopard, security

Tip of the Day

Want to drag a file to another folder and copy it instead of moving it? Press the Option key when you drag that file and it'll be duplicated rather than moved entirely.

Learn More

Follow us on Twitter!

TUAW flickr Pool

www.flickr.com
 TUAW [Cafepress]

Featured Galleries

DNC Macs
Macworld 2008 Keynote
Macworld 2008 Build-up
Google Earth for iPhone
Podcaster
Storyist 2.0
AT&T Navigator Road Test
Bento for iPhone 1.0
Scrabble for iPhone
Tom Bihn Checkpoint Flyer Briefcase
Apple Vanity Plates
Apple booth Macworld 07
WorldVoice Radio
Quickoffice for iPhone 1.1.1
Daylite 3.9 Review
DiscPainter
Mariner Calc for iPhone
2009CupertinoBus
Crash Bandicoot Nitro Kart 3D
MLB.com At Bat 2009
Macworld Expo 2007 show floor

 

Most Commented On (7 days)

Recent Comments

More Apple Analysis

More from AOL Money and Finance

AOL Radio TUAW on Stitcher