Monday, August 4, 2008

Apple's fix for major DNS security hole finally arrives

Nearly three weeks after Microsoft patched its Windows operating system to protect against attacks exploiting a flaw within the DNS system, Apple has delivered its own fix.

The DNS flaw, discovered by security researcher Dan Kaminsky, allows attackers to divert traffic to Web sites of their choice through an issue with BIND, software that powers DNS servers.

While a random transaction ID is produced to initiate the communication, certain setups cause the number of possibilities to decrease, thus making guessing the correct ID easier. Kaminsky even said there was a way to guess correctly in only a couple tries.

Microsoft's response was near immediate, as was Linux distributor Debian's. For unknown reasons, however, Apple did not fix the problem at the time of disclosure, and the exploit code's accidental leak late last month made action all the more necessary.

While Kaminsky was scheduled to detail the issue at the annual Black Hat conference on July 24, the exploit code appeared on the Internet a day earlier.

Microsoft saw the issue as so important that it took the unusual step of reminding customers of the patch on July 25. The company also acknowledged the existence of exploit code at that time.

For Apple customers, the DNS fix is available for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, and Mac OS X Server v10.5.4. Users can download the security update through Apple's Web site or use the Software Update feature within the operating system.

In addition to the DNS patch, Apple also fixed a Microsoft Office file issue where a problem with QuickLook could lead to code execution, according to an advisory.

  • Microsoft finally launches Hyper-V
  • Apple releases OS X 10.5.3, users report problems
  • Adobe Acrobat JavaScript flaw exploit in the wild