Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Patches Kaminsky DNS Vulnerability

Posted by kdawson on from the cache-me-if-you-can dept.

Alexander Burke writes "Apple has just released Security Update 2008-005, which patches BIND against the Kaminsky DNS poisoning issue. 'This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1.' It also closes the script-based local privilege escalation vulnerabilities, the most common examples of which were ARDAgent and SecurityAgent, and addresses other less-publicized security issues as well." A few days back we noted Apple's tardiness in fixing their corner of this Net-wide issue.

8 of 89 comments (clear)

  1. They might have been slow... by PsyQo · · Score: 5, Funny

    They might have been slow with this patch, but boy does it look good!

  2. Maybe they took the time to get it right? by homesnatch · · Score: 5, Interesting

    Someone mentioned that Apple's delay was due to the patch causing a problem with some environment... Maybe Apple had to take the extra time to get it right.

    I would have preferred that Redhat did as well... The Redhat ES 4 patch for BIND left a couple of my DNS domains offline for a few hours.

  3. leopard and syslogd by Speare · · Score: 5, Informative

    Now if only they'd fix the 100% CPU syslogd problem that's been around since Leopard's release. leopard syslogd I don't use TimeMachine at all, so most people's theories implicating TM is probably not accurate. I'll leave the MBP on overnight and when I wake up the CPU heat is way above normal because syslogd crapped itself again. (The fan speed vs CPU heat function is also pretty sucky.) Some video glitches even start appearing when the CPU heat stays high for a while. I'm going to just kill it hourly by cron, but Apple should also get its butt in gear and just fix it.

    --
    [ .sig file not found ]
    1. Re:leopard and syslogd by whyloginwhysubscribe · · Score: 5, Funny

      It must be bad - even cuil has hits relating to this: http://www.cuil.com/search?q=leopard+syslogd

  4. Re:The clients still vulnerable ?? by BuhDuh · · Score: 5, Informative

    Anybody care to test it for real using both an apple server and laptop, using dnsoarc, to get some real info?

    Done! See Swa Frantzen's update at the isc Seems like they may have patched the server code, but the client is still using sequentially incrementing ports.

    --
    Enlightenment? It's just a flush in the pan.
  5. Re:Good job apple by MacColossus · · Score: 5, Informative

    Quicktime streaming server, podcast producer, Fortune 500 companies with Macs needing a decent AFP stack and Workgroup Manager to control client side privileges on Mac workstations. Another reason might be a desire not to be financially sodomized by Microsoft on CAL's but the admin has a fear of Linux due to inexperience. (Not every GUI junkie has seen Webmin, KDE, Ubuntu desktop and such). A couple of good Mac Server/Administration sites are www.afp548.com and www.macenterprise.org. Hope this has been educational.

  6. DNS patch causes BIND blunder by MacColossus · · Score: 5, Interesting

    http://www.zdnet.com.au/news/security/soa/DNS-patch-causes-BIND-blunder/0,130061744,339290928,00.htm Could this have been what took Apple so long? Not as entertaining as posting "Apple sucks", but worth a look nonetheless.

  7. Re:Good job apple by MightyYar · · Score: 5, Funny

    I don't think "tons" will get you very far when it comes to statistics.

    I don't know... have you ever priced out a ton of artists? Those things are really skinny and you really get your money's worth.

    The biggest rip-off is a ton of IT guys. You get like 1, maybe 1-1/2 in the whole damned load.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.