August 1, 2008 9:30 AM PDT
Security Update 2008-005 released, closes DNS hole
Apple has released Security Update 2008-005, which resolves a widely reported BIND DNS issue that could result in cache poisoning attacks from remote attackers.
- Security Update 2008-005 (Leopard [Intel and PowerPC]) [65MB]
- Security Update 2008-005 (Intel for Mac OS X 10.4.11) [143MB]
- Security Update 2008-005 (PPC) [88MB]
- Security Update 2008-005 Server (PPC) [135MB]
- Security Update 2008-005 Server (Intel) [180MB]
The update closes these specific security vulnerabilities, among others:
- A local user may execute commands with elevated privileges: "A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges."
- BIND is susceptible to DNS cache poisoning and may return forged information "The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information."
- Processing long filenames may lead to an unexpected application termination or arbitrary code execution. "A stack buffer overflow exists in the handling of long filenames. Processing long filenames may lead to an unexpected application termination or arbitrary code execution."
- Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. "CoreGraphics contains memory corruption issues in the processing of arguments."
- Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution "An integer overflow in the handling of PDF files may result in a heap buffer overflow. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution."
Problems after updating? Please let us know.
Resources
All peripherals remained connected during the process.
Dual 2.0 PPG G5 4GB RAM, 10.5.4
Everything went smoothly with the PPC Tiger version. Downloaded and installed manually. Repaired permissions before and after. The initial startup took what felt like a long time, but things are fine now.
No problems here either. Normal Restart after installation. Usual Shockwave permissions to be fixed.
G4 iBook 10.4.11 and G5 PPC 10.4.11.
Ian
PowerMac G4 15"
Is it just me? With the last couple of Leopard security updates, lots of apps crash right after auto-restart, including Disk Utility. Which is OK. However, upon restarting and checking repair disk (it's OK), the estimated time given for verifying or repairing permissions is in DAYS. The actual time is 3-4 hours. Isn't this a bit long? Permissions repair used to zip through.
According to Apple's website yes. This is CVR for this problem CVE-2008-2830 and Apple's website shows Open Scripting Architecture as part of this patch:
http://support.apple.com/kb/HT2647
But is it really fixed that is another issue see the DNS patch for 10.4.11:
http://blog.ncircle.com/blogs/sync/archives/2008/08/apple_dns_patch_fails_to_rando.html
http://blog.ncircle.com/blogs/sync/archives/2008/08/apple_dns_patch_fails_to_rando.html
I noticed that other people refer to this article so it appears no one else has independently verified this flaw in 10.4.11 Security Update 2008-005 for DNS BIND.
TidBits actually have the test for this and on my Leopard system I still see this DNS problem. Here is the TidBit link that shows you how to check if this fix or not:
http://db.tidbits.com/article/9721
Noticed that the port numbers are sequential and that is part of the vulnerability. I checked a old 10.3.9 system using the same command I see same thing there.
Again I wonder when will patch this patch for this DNS issue.
Read the reports carefully. Client software was not patched. Only the server versions were patched. It is highly unlikely (although possible) that this flaw would make any client machine vulnerable. The attacker would have to be on the same lan and, in that case, there would many more efficient ways of poisoning the DNS than this flaw.
So, again, read fully for once. The OS X you use on your home machine is not OS X Server but is OS X Client. It has not been patched and probably will not be patched any time soon.
A minor elaboration:
The previous comment is somewhat confusing. Are we referring to Client OS/Server OS or DNS Client/DNS Server?
The Macintosh OS X 10.5.4 Client has been updated to the very latest version of BIND available.
[mac:~] user% named -v
BIND 9.4.2-P1
Perhaps, as the researchers speculate, there is a DNS client configuration setting (/etc/resolv.conf) that needs to be modified. We don't have that information.
I wonder if anyone was running Privoxy and had difficulties since this patch? I'm running Privoxy on one of my systems here and notice Privoxy is having problems keeping track of which ports and file are connecting so you cannot get your content properly. I noticed when do an netstat I see a huge amount ports open for privoxy but Privoxy doesn't route them to you so some unknown reason but this only happened after I updated with 2008-005. I had no problems for the last 5 years with Privoxy before this patch.
Try setting the Startup Disk in the System Preferences. That should clear up the ? at startup.
More info can be had here:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111363&intsrc=news_ts_head
Apple have become major league money focused and don't seem to care much about fixing issues properly if at all in this case.
I have to assume this is hyperbole:
"Apple have become major league money focused and don't seem to care much about fixing issues properly if at all in this case."
Please scan the DNS Operations mailing list or various security lists for information on the action required for the DNS patch. To the best of my analysis, Apple has complied with the patch requirements as published.
Please do attribute malice where other reasons are equally plausible.
Shouldn't that be "Please DON'T attribute malice where other reasons are equally plausible"?
Since the flaw only affects DNS <b>servers</b>, unless you're running a local DNS server there's absolutely no reason any change or fix is required for your system.
Is this why Comcast has been experiencing connection problems for the past couple of days -- and gmail as well
'Your internet connection is experiencing problems or your network administrator has blocked Gmail chat' ???
Because of a DNS server problem?
- by tacit August 1, 2008 5:29 PM PDT
- <class="merchant"><span>>></span><div class="datestamp"><i>This is a reply to a previous comment by macdad614</i></div></class><br />
- Like this Reply to this comment
-
Showing 1 of 2 pages (22 Comments)No. If it were related to a DNS server problem, you'd be seeing errors like "Safari can?t find the server. Safari can?t open the page ?http://www.google.com/? because it can?t find the server ?google.com?."