Apple Patches Kaminsky DNS Vulnerability

Alexander Burke writes "Apple has just released Security Update 2008-005, which patches BIND against the Kaminsky DNS poisoning issue. 'This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1.' It also closes the script-based local privilege escalation vulnerabilities, the most common examples of which were ARDAgent and SecurityAgent, and addresses other less-publicized security issues as well." A few days back we noted Apple's tardiness in fixing their corner of this Net-wide issue.

No patch for OS X 10.3 ?

[Katchina'404]

As much as I love Apple, it bothers me that they do not release security patches for versions earlier than n-1 (where n is the current release).

Mac OS X 10.3 server dates back to October 2003 (http://www.apple.com/pr/library/2003/oct/08pantherserver.html), so it's just short of 5 years. It's not THAT old, especially for a server products that's likely to be used in some SMEs.

Or is 10.3 not affected ?

Re:They might have been slow...

[maxume]

They were notified in January.

Maybe they took the time to get it right?

[homesnatch]

Someone mentioned that Apple's delay was due to the patch causing a problem with some environment... Maybe Apple had to take the extra time to get it right.

I would have preferred that Redhat did as well... The Redhat ES 4 patch for BIND left a couple of my DNS domains offline for a few hours.

Re:They might have been slow...

[Kamokazi]

To be fair, 10.3 was released in 2003. Windows 98 was released in....1998. A little bit of a difference there.

Basically, you are forced to pay to get a security update that older OSes, even Microsoft ones are recieving for free (as they should). I'd be really pissed if MS forced us to pay to upgrade our Win2k3 domain controller for the update. You could have bought an Xserve in 2005 with 10.3, and not be able to get this update without upgrading your entire OS. Only 3-year support on a server? That's ludicrious. Anyone remotely considering Apple for their enterprise hardware will probably immediately disregard them after this.

Re:leopard and syslogd

[illumin8]

Now if only they'd fix the 100% CPU syslogd problem that's been around since Leopard's release. leopard syslogd I don't use TimeMachine at all, so most people's theories implicating TM is probably not accurate.

Dude, that problem has been around since October of 2007, when Leopard was first released. It's been fixed and I think it's related to spotlight trying to index your syslog files. Seriously, if it's still bothering you that much, google for a fix or call Apple tech support.

DNS patch causes BIND blunder

[MacColossus]

http://www.zdnet.com.au/news/security/soa/DNS-patch-causes-BIND-blunder/0,130061744,339290928,00.htm [zdnet.com.au] Could this have been what took Apple so long? Not as entertaining as posting "Apple sucks", but worth a look nonetheless.

KaminskyKaminskyKaminsky

[Timothy Brownawell]

At least they're down to only using his name twice in the summary, even if one of them is in the title... I'd been starting to wonder if all the articles about the DNS bug were really just about how l33t he was for publicizing it and having it fixed.