Apple releases patch for critical DNS flaw

Apple released a security update Thursday to users of its Tiger and Leopard operating systems to address a critical and well-publicized Domain Name System flaw, along with a dozen other updates.

The DNS flaw, which was first reported by Dan Kaminsky of IOActive on July 8, could allow attackers to redirect Web site visitors to any site they choose and present forged information. The DNS translates the common name of a Web site into its numerical IP address, and is therefore a fundamental component to the Internet.

During the second pre-Black Hat security conference Webinar on July 24, Kaminsky provided the most information to date about the DNS flaw he found earlier this year but only disclosed in public on July 8. His announcement coincided with a massive, multivendor patch release. But he withheld details, hoping that most people would get their systems patched before the bad guys got a hold of it.

However, an exploit code that could allow someone to attack the DNS was available in various places on the Internet on July 23.

Apple's update also fixes a QuickLook bug where loading a malicious Microsoft Office file could lead to "arbitrary code execution."

Apple recommends Security update 2008-005 for all systems running Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4. The update is available at Apple.com or through the update mechanism in OS X.

[Ed Lin]

Apple patched the DNS flaw one month after MS patched it, and nearly two months after they were informed May 5th before the exploit was made public.

[kool_skatkat]

Apple and MS have exactly the same operating system and this was a race to see who patches it first. oooh, the MS patch came with some problems.. mmm...

Secure but can't do much with it? Maybe that's better... for Ed. The worst patch is one that causes more problems and can't be un-installed.

[oneoclock]

"Apple and MS have exactly the same operating system"

You must be living in a different universe than everybody else.

[Vegaman_Dan]

Wow. Your comments are rather... imaginative. I do wonder what medications you may be on.... or need to be on.

[joetesta70]

$TEVE JOB$ = GREED INCARNATE. What kind of a guy hords billions of dollars while his peers like Gates, Dell, Ellison, Brin, Lazaridis, etc all do philanthropic things. Buy a mac and give NOTHING back.

$TEVE, do you want to change the world or sell songs all your life?

The products are innovative (don't get me wrong) but it's all CLOSED and PROPRIETARY TOO. Why would I buy EVERY song I want on iTunes when I can get millions of songs on other services for what is really a small monthly fee? The only reason is the iPod, but that differentiation is going away. Why isn't the iPhone open?

The Penguin is coming for you $teve.

[edaboy51]

Sick

[Dalkorian]

Dude, go see a counselor. You have serious mental problems that need to be worked out. EVERYONE who pays monthly for a "subscription" music service has mental problems. Try missing a payment or two and see how much music you have.

[wilsonckm]

Did the Mac guy forget to take his daily vitamin or did the Apple just rot?

[delf76]

I guarantee, if Microsoft took this long to release a patch for something as serious as this, everybody would be screaming.

Why did it take them so long to get a patch out?

[ittesi259]

Probably to avoid the issues the MS patch ended up with.....I'd rather take longer and do it right then do it quick and not properly test.

[sanenazok]

Even though this was a documented hole and Apple had a known problem, there was no exploit. Why? Because nobody writes hacks for Apple's small market share. If they did there would be a crapload of security holes to exploit in the OS, gawdawful Quicktime and so forth. Also, where are the updates for earlier OS X's? They all have the same *nix core and the same vulnerability, right? I guess nobody uses Panther anymore...oh wait I have a laptop running this. Thanks Steveo!

[ittesi259]

Wow, ignorance is ugly.....I guess you forgot or don't know that DNS is not a OS specific thing.....

[sanenazok]

ittesi259: oh yeah Apple wasn't patching OS X's DNS components then what was it doing? Sure it's a global DNS problem, but if you read my comment, the problem with Apple is the amount of time it took Apple to patch it and then to not patch an older OS with the same code-base just different look.

[The_Decider]

That argument that OSX doesn't get attacked because of market share has been disproved so many times it is funny that even someone as technically illiterate as you would try to parrot it.

Market share and security have nothing to do with each other.

With a 1% market share, Windows would still be swiss cheese.

See also Apache and OS9. Apache is the market leader but not the leader in exploits. OS9 had a significantly smaller market share than OSX yet had many exploits in the wild.

[sanenazok]

The marketshare argument was disproven, how exactly? Like you're disproving it now? Also, who's talking about OS9, that's ancient. It's like talking about NT4...I now have a Panther (that's a version of OS X) with a well known security hole that nobody will exploit for some reason.

[Dalkorian]

Sometimes it's fun to feed a troll, isn't it?

[Perry_Clease]

"The Penguin is coming for you $teve."

Not worry, Batman took care of him.

[jamalystic]

Why is apple doinh the patches now? Is it because of their arrogant behaviour on security issues as one expert suggested?Apple?s Arrogant Attitude About Security(http://www.internetevolution.com/author.asp?section_id=515&doc_id=142628&F_src=flftwo)

[Perry_Clease]

You DTs act as if only Apple software had this DNS flaw.

[sanenazok]

Oh acronym master, I'm no digital tv or Deutsche Telekom. Anyways, the reason why we're critical of Apple is not because the hole existed but because it took them so long to patch it. Given how critical it was, and given Apple's ridiculous claims viz-a-viz security it's understandable that Apple's called on this obvious mistake.

[Perry_Clease]

" I'm no digital tv or Deutsche Telekom"

No, but you are a dufus troll

[sanenazok]

Sorry not up to date on your private acronyms. Although it's stupid of you to make personal attacks on people you don't know. Care to respond to the rest of my comments?

[Dalkorian]

He's tossed you enough bones troll, but I'll take a crack at toying with you. It's a boring day here at work you see. You're being awfully critical of Apple for taking what, a whole month to release a patch? It's only been begun to be exploited (due to the code being public) for roughly a week now. Perfect? No, but certainly not deserving of the trashing you're giving them. The patch works, came out in a reasonable amount of time (not delayed for months, but weeks) and is easy to apply. You're grasping at straws to find a problem with this, but I guess even trolls need to eat.

[Vegaman_Dan]

I'm glad that Apple released this patch to address their current version of the OS. I look forward to them releasing a similar patch for the older OS's as there are still millions of people using the older stuff for the PPC platforms.

[ittesi259]

Hate to say it, but I believe within 2 years any hope of PPC support will be dead in the water.

[The_Decider]

MS for once rolled out a patch fast.

Too bad it was half-baked and caused lots of problems.

Getting out patches quickly is good, correctly implementing the patch is much better.

MS failed yet again. Big surprise.

[sanenazok]

Uhm the problems with MS08-037 were caused by ZoneAlarm and only affected people running this software. Do you blame Apple every time an application on OS X crashes or causes problems?

[DrtyDogg]

No that would still be Microsoft's fault in The_Decider's world

[KTLA_knew]

All the other major vendors were able to successfully release patches before the issue was made public. I'd be curious as to why Apple was in a different position where they couldn't get them out before exploits were running around.

Maybe there was a really good reason they were slower than everyone else? They certainly have a really bad track record on security over the last few years (esp. recently), but there could be all kinds of variables here.

Anyone know why they were slow to the party?

[Dalkorian]

Wow, the Apple Haters Club really came out in force in these comments. Apple releases a patch for a critical DNS flaw a couple of WEEKS after everyone else did. Not a stellar time scale sure, but it's not like everyone was vulnerable for months at a time either. Yet to read these troll's comments, Apple sat around forever doing nothing. Um, I see a patch released here people and guess what - it works (I installed it this morning without issues, like most of Apple's patches). This isn't a bad thing, no matter how much you want to hate.

[ferretboy88]

The Apple fan boys don't fool anyone. They are the first people run down every other system and company, They can get some too.