Apple Bites Back At Critical DNS Flaw
Apple took nearly a month after other major DNS system vendors to release a patch for a major vulnerability that has exploit code in the wild.
Administrators for Apple systems running DNS will see a patch among the items arriving in a newly-released security update for their OS X operating system. The widely discussed cache poisoning flaw could cause a nameserver to return forged information to a system requesting it.
Numerous major vendors met earlier in the year to discuss the problem with DNS. On July 8, Microsoft, Cisco, and others released a patch to address what has been described as the most serious flaw ever seen online.
Exploit code quickly became available once a security researcher, Halvar Flake, speculated on the nature of the flaw. A security firm briefed on the flaw confirmed the hypothesis with a blog post they published and subsequently withdrew, unfortunately not before many witnessed that confirmation.
If exploited, a cracked nameserver could redirect requests for websites to any site of the attacker’s choosing. Couple that with a well-forged financial site, and the criminal owns an easy way to steal personal information with no indication to the victim about the event.
The BIND nameserver is turned off by default in OS X, limiting the scope of the vulnerability on the platform. But considering the deep roots OS X has in Unix-type operating systems, it seems strange the company took so long to follow the rest of the industry in patching DNS.