Network News

X My Profile
View More Activity

Apple Patches DNS Flaw and 16 Other Holes

Apple released updates to fix at least 17 different security holes in its OS X operating system and other software late Thursday, including a patch for the domain name system (DNS) vulnerability that many other affected vendors addressed nearly three weeks ago.

Security Update 2008-005 patches a serious flaw in the DNS that could allow hackers to hijack users' Internet connections or silently redirect them to counterfeit Web sites. Cisco, Microsoft, Sun Microsystems and a host of Linux projects pushed out a coordinated fix for the flaw on July 8, when it was first disclosed, and Apple immediately took heat for not releasing its patch then as well.

My guess is that Apple planned all along to release its patch this week or early next. Dan Kaminsky, the researcher who discovered the DNS flaw and helped coordinate the release of the patches to fix it, tried to withhold details about how the flaw might be exploited until his scheduled talk at next week's Black Hat hacker convention in Las Vegas. That plan obviously fell apart more than a week ago, when other researchers posted details online showing precisely how to exploit the vulnerability.

Updates are available for Mac OS X v10.4.11, Mac OS X Server v10.4.11,Mac OS X v10.5.4, Mac OS X Server v10.5.4, via Software Update or Apple Downloads.

If you have questions about these patches, the DNS vulnerability or other related computer security questions, join me today at 11 a.m. ET for my regularly scheduled online discussion.

By Brian Krebs  |  August 1, 2008; 9:45 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Black Hat Talk on Apple Encryption Flaw Pulled
Next: Microsoft to Open Kimono on Security Patches


I understand the DNS flaw was in BIND, which is not enabled by default. Is that true?

Posted by: Scott Lahteine | August 1, 2008 11:00 AM | Report abuse

Is the music site affected? It has Apple pages.

Posted by: O. Redding | August 1, 2008 12:13 PM | Report abuse

SANS has a diary post up on this at

Two interesting points from that post:

"Seems we all need to urge Job's gang to release patches significantly faster: it's the price to pay to base parts of your system on open source code."

"Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness."

Posted by: TJ | August 1, 2008 12:37 PM | Report abuse

The DNS flaw affects DNS servers only, since most users don't have one, they don't need the patch.

That's not to say that the average user won't be affected by the flaw, because if they're using a flawed DNS server (the one from their ISP, for instance) they may be affected.

What Apple did was release a patch for OS X Server, for OS X Server based DNS servers.

Posted by: Carlos | August 1, 2008 12:39 PM | Report abuse

Carlos> The DNS flaw affects DNS servers only, since most users don't have one, they don't need the patch.

That is false.

The stub resolver on any system can be attacked. Stub resolvers that don't randomize source ports are just as vulnerable as recursive nameservers; the difference is:

- Stub resolvers can't be attacked by making recursive queries. Instead a client software-based attack must be used, e.g. a web page with Javascript that causes a large number of lookups.
- The impact of a successful attack is limited to the targeted system. With nameservers, a poisoned cache affects lookups for all clients using the nameserver for recursion.

It is reported in the ISC post cited above by TJ that the Apple patches for OSX 10.5 and 10.4 fail to effect source port randomization in the stub resolver, leaving Apple clients vulnerable. This is independent of anything Apple has done with respect to OS X Server. RTFA.

Posted by: antibozo | August 1, 2008 11:59 PM | Report abuse

more importantly, data released from the ISC indicates that Apple desktops remain vulnerable even after applying the patch

Posted by: Anonymous | August 2, 2008 1:27 AM | Report abuse

The reason that the DNS poisoning attack was so nefarious is because it effects the very backbone of the internet, the DNS servers. Implicating that Apple (or Microsoft, for that matter) is somehow neglectful for not updating their client OSes is obscuring the real issue - that the ISPs who are running DNS servers that have not been updated should do so immediately. Any who don't would be subject to incredible financial, legal and PR issues should their DNS be poisoned.

Posted by: Steve | August 2, 2008 9:19 AM | Report abuse

This may have been previously mentioned, but the bottom line is here:

Web-based DNS Randomness Test
Test Your DNS


Posted by: J. Warren | August 3, 2008 6:23 AM | Report abuse

I still don't understand why Apple waited so long. Why take the risk that the details of the flaw would be leaked, which of course they were? Why not get the patch out there as quickly as possible? I'm not surprised they're taking heat. I didn't realize they'd been dragging their feet like this.


Posted by: Erica | August 4, 2008 4:01 PM | Report abuse

Okay, so where did the comments that were attached to this post go?

Posted by: antibozo | August 7, 2008 5:06 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company