Stephen Withers
Monday, 04 August 2008 07:05
Opinion and Analysis
Page 1 of 3
Late last week Apple finally released a security update for Mac OS X that includes a patched version of the BIND DNS software. In all, there were a dozen patches released including the potentially serious BIND fix.
Security Update 2008-005 is available in various forms for the client and server versions of Mac OS X 10.4.11 and 10.5.4 (PowerPC and Intel).
BIND is part of Mac OS X, but is not enabled by default, A flaw in BIND made it vulnerable to cache poisoning attacks, which could lead to Internet traffic being silently diverted to malicious servers.
The underlying problem in the protocol was discovered earlier this year, and the developers of BIND and other affected DNS implementations worked to release new versions of the software early last month.
Apple was relatively slow to deliver an updated version of BIND to its customers.
Apple's update installs version 9.3.5-P1 on Mac OS X 10.4.11 and 9.4.2.-P1 on 10.5.4.
Eleven other issues are fixed by Security Update 2008-005.
The SecurityAgent and
ARDAgent issues reported earlier this year have been addressed by blocking privilege escalation for scripting additions.
Additional bounds checking in CarbonCore prevents long file names from causing a stack buffer overflow in CarbonCore which could previously lead to unexpected application termination or the execution of arbitrary code.
What else has been fixed? Find our on
page 2.
