Apple Finally Issues Fix For Critical DNS Security Flaw

The Cupertino, Calif.-based computer company Friday posted Security Update 2008-005, a fix that plugs several security holes, including Apple's implementation of the BIND (Berkeley Internet Name Domain) server, which left users of its Mac OS X operating system susceptible to the DNS flaw.

The DNS problem was discovered by security researcher Dan Kaminsky, who planned to disclose the threat at next week's Black Hat USA 2008 in Las Vegas. But two researchers leaked details of the flaw and how to exploit it in separate blog posts last week, exposing equipment from numerous vendors to security risks.

While vendors such as Cisco Systems and Microsoft were quick to issue fixes, Apple came under fire for moving too slowly to patch up the hole.

The DNS error stems from a fundamental flaw in the DNS protocol, a function which provides a back and forth translation of host URLs to IP addresses. The vulnerability could be exploited by attackers to launch cache poisoning attacks by creating fake messages accepted by the DNS that can trick the server into delivering an incorrect request. Attackers could then use the flaw to redirect Internet traffic to malicious Web sites and install arbitrary code on users PCs.

Apple's security update addresses the DNS exploit as well as several other fixes that impact Mac OS X Server 10.4, Mac OS X 10.4.11, Mac OS X Server 10.5 and Mac OS X 10.5.4

--Stefanie Hoffman contributed to this story.