Security Update 2008-05 : DNS Flaw Finally Fixed

Apple released Security Update 2008-05 which contains fixes for:

  • an Open Scripting Architecture (CVE-2008-2830) privilege elevation issue [10.4/10.5 Workstation & Server]
  • a filename handling issue in CarbonCore (CVE-2008-2320) which may lead to an application Denial of Service (DoS) or arbitrary code execution [10.4/10.5 Workstation & Server]
  • a web-exploitable CoreGraphics issue (CVE-2008-2321) that could lead to application DoS or arbitrary code execution [10.4/10.5 Workstation & Server]
  • another CoreGraphics issue (CVE-2008-2322) with PDF rendering, leading to application DoS or arbitrary code execution [10.4/10/5 Workstation & Server]
  • an issue with DataDetectors (CVE-2008-2323) where maliciously crafted content could lead to an application DoS [10.5 Workstation & Server]
  • a really cool permissions issue with Disk Utility (CVE-2008-2324) that would have allowed local users to act with system privileges [10.4 Workstation & Server]
  • an issue with OpenLDAP (CVE-2008-2952) where an attacker could have created an application DoS [10.4/10.5 Workstation & Server]
  • another DoS potential in OpenSSL (CVE-2007-5135) if maliciously crafted bad packets are processed [10.4/10.5 Workstation & Server]
  • five PHP 5 fixes [10.5 Workstation & Server]
  • a QuickLook issue with Microsoft Office documents (CVE-2008-2325) causing either an application DoS or arbitrary code execution [10.5 Workstation & Server]
  • two rsync vulnerabilities that may result in data access outside the module root [10.4/105 Workstation & Server]

The “big daddy” of this update is a fix for the DNS cache poisoning problem that has been in the Apple and general tech & security news recently. This is a pretty severe issue as DNS is the backbone of how systems & application get IP addresses from host names (so they know where to send you on the Intenet), and the ability to corrupt those databases means you really cannot trust where your network packets are going. Apple is the last major vendor to release a fix for this flaw and rightfully deserves some flack for it since they could have deployed the patch on July 8th with the majority of the other vendors, but chose to wait until this update bundle was ready to release.

OS X Server is the most likely candidate for actually running BIND (the process that manages DNS on a system) and you need to patch IMMEDIATELY if you are using it. It takes a bit of work to do this on plain-old Mac OS X, but you should run the update as soon as possible as well (especially for some of the other fixes).

A gaping hole still exists in OS X 10.3 and below you will need to do a bit of work (download, compile & install the package from the ISC by hand) if you are still running those systems and hosting DNS . While supporting older operating system releases presents a real challenge to companies like Apple & Microsoft, it is not unreasonable to expect there to be a decent number of 10.3 systems in the wild that need tending to and Apple should have done more to ensure coverage for those installations (or at least have provided a series of steps one could take to fix the issue).

Apple clearly dropped the ball here and has called into question their true commitment to security on their OS X platform or at least their ability to react quickly given all of the efforts they have in play. One also needs to remember that a version of OS X runs on the iPhone, iPhone 3G and iPod Touch and it is unclear whether the issues with CoreGraphics and DataDetectors exist on those platforms as well. It is much more difficult to both issue firmware updates and ensure decent update coverage with those mobile devices and Apple may need to come up with a way to deploy critical security fixes over-the-air directly to them rather than force consumers to do a full sync/update to remain secure.

The security update should show up in Software Update and is also available via direct download from Apple.

Let TAB readers know your take on how Apple handled this situation by dropping a note in the comments!


loading

Comments have been disabled for this post