News, info, and opinion by Mac users, for Mac users.

July 31, 2008

security

Security Update 2008-005 is out, fixes DNS flaw

Posted Jul. 31, ’08, 8:03 PM PT by Thomas Gagnon-van Leeuwen
Category | Security

Security Update 2008-005 in out in various flavors, and it’s a biggy. With it, Apple finally fixes a serious DNS flaw which our own Dan Moren described a few days back:

The flaw in question, uncovered by security researcher Dan Kaminsky, revealed a method by which the DNS’s cache could be “poisioned”—that is, false data could be used to replace real data, so instead of going to your bank’s website, you would be sent to a fake website, even though your location bar would still tell you that you were at your bank’s site. Scary stuff.

Scary indeed, and considering many companies fixed this issue a while ago, Apple was not helping its bad rep of lagging behind when it comes to fixing critical security flaws. Anyhoo, we’re certainly glad it’s been taken care of.

But wait, that’s not all! This update also fixes a numbers of flaws in Data Detectors, Disk Utility, OpenSSL, and more. Apple has compiled a handy and exhaustive list for your viewing pleasure.

So don’t delay, fire up Software Update and get your Mac all patched up.


6 Comments

Call Me Yo Daddy Author Profile Page said:

Just installed this now. Everything seems to be working fine. Apple maybe slow at updating security issues but at least we know they are coming eventually. :)

July 31, 2008 10:09 PM
Anonymous said:

According to the Security Update doc:
"The recently reported ARDAgent and SecurityAgent issues are addressed by this update."
So this fixes also the vuln that allowed you to get root. This is a double big patch!

July 31, 2008 11:54 PM
Kelmon said:

Apple's silence on security issues, plus delays in actually releasing fixes, really is not helping them. Security is important and customer need to know that they are taking things seriously. When you are pretty much the last manufacturer to get a fix out and haven't said a word on the issue then, frankly, customers don't know if you're even working on a fix. I think they should seriously consider starting a security blog to have a dialog with customer so that we know what's going on. The MobileMe updates were kinda nice and I think the same would benefit security concerns.

There's a time and a place for secrecy, and this wasn't one of them.

August 1, 2008 12:02 AM
Bill said:

All these stories leave out the following statement from the release information to sensationalize this:

"and is not enabled by default"

August 1, 2008 5:45 AM
Anonymous said:

@Bill:

As a security expert and someone who uses Mac OS X Server in a professional environment I can tell you that most OS X Servers would have bind turned on. OS X Server works much better if you let it do authentication, dns and dhcp, so this would make a large portion of the servers vulnerable.

Also if al other major players think that the vulnerability warrents a concerted effort, then you have something to explain if you don't take part in this.

At least our Apple contact person has heard in a very clear voice that we were not happy with Apple's conduct.

August 1, 2008 2:06 PM
Dave-O said:

Nothing is louder or clearer than an anonymous post.

How's this for a "concerted effort"? The fix had been around for years. It wasn't until a vulnerability was disclosed that anybody actually did anything about it. Everyone waited too long, including at&t...

It's not like installing bind on your own server is hard (for someone remotely qualified to run a server). If you are afraid to do so until Apple has done the QA on it, then who are you to complain that it took longer?

I agree with the general sentiment that Apple needs to back up its security claims with something substantive; that recent efforts (namely sandboxing and library randomization in Leopard) were poorly implemented. However, running a server means taking some responsibility for your own operation.

August 2, 2008 2:03 AM

Leave a comment

 



Visit other IDG sites: