Apple in a bind over BIND

By Stephen Withers
Monday, 28 July 2008 06:30

Opinion and Analysis

I've criticised Apple before for being slow to deliver patched versions of open source and other third-party software, but the latest example involving BIND, the software that provides DNS services, is hard to fathom.

Other vendors, including Microsoft and Cisco, released DNS patches earlier this month to protect their customers from the risk of Internet traffic being diverted to malicious servers. Apple's delay means users at sites running Mac OS X Server are still vulnerable to this attack.

Earlier this year, security researchers discovered a weakness in DNS protocols and implementations. DNS (Domain Name System) is the mechanism that converts human-friendly domain names such as www.itwire.com to numeric IP addresses such as 192.168.0.1.

The weakness could be used relatively easily by an attacker to 'poison' (maliciously change) the list of name-to-number mappings already established by a system.

The danger is that users would then be invisibly redirected to web sites other than those they intended to visit. This situation could be used for phishing (capturing people's account credentials for Internet banking and other sites involving value) or to lure visitors to servers loaded with malware that is silently transferred along with the web page (more a problem with Windows than other operating systems).

In a co-ordinated effort, most major vendors released fixes for affected software earlier this month. That included an update for Internet Systems Consortium's BIND, which is the most widely used DNS server.

So where is Apple's update? Please read on.