Apple fixes another DNS vulnerability

By

Apple released a security update for its Mac OS X to fix several security issues, most notably for the notorious DNS cache poisoning problem and a vulnerability within PostScript font names.


Apple released a security update for its OS to fix several security issues, most notably another fix for the notorious Domain Name System (DNS) cache poisoning problem as well as a vulnerability within PostScript font names.

The Security Update 2008-006 and Mac OS X v. 10.5.5 security update fixed roughly 35 bugs, including issues with open source components and a login password glitch.

DNS cache poisoning is a major vulnerability first revealed in July by Dan Kaminsky and it affects all operating systems, said Rami Habal, director of product marketing at email security firm Proofpoint.

Apple resolved a DNS problem in its implementation of libresolv, which provides translation between host names and IP addresses for applications that use the unicast DNS resolution API found in Libresolv.

This summer, Apple patched its version of the Berkeley Internet Name Domain (BIND) DNS server for the cache poisoning problem.

The DNS vulnerability enables hackers to manipulate the IP address and send users to a spoofed page of a legitimate site, Habal told SCMagazineUS.com on Tuesday.  

“The fake site looks like the real site,” Habal said, “and tricks users into providing personal information.”

Another important patch fixes a flaw in Apple Type Services' handling of PostScript font names, according to the Apple Support website. Viewing a document that contains a malicious font may lead to arbitrary code execution.

“If somebody were to create a specially crafted PostScript document on a website, a user could open the document and leave it vulnerable to an attacker to load malicious software on your computer,” John Pescatore, analyst at Gartner, told SCMagazineUS.com. “That enables trojan horse fonts to be installed.”

Pescatore added that these patches are fairly complicated, but there is disappointment that Apple didn't provide the patches sooner.

“These were serious flaws that took a pretty long time to fix,” he said.

Apple did not respond to a request for comment.

See original article on scmagazineus.com
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?