Apple fixes another DNS vulnerability

By

Apple released a security update for its Mac OS X to fix several security issues, most notably for the notorious DNS cache poisoning problem and a vulnerability within PostScript font names.


Apple released a security update for its OS to fix several security issues, most notably another fix for the notorious Domain Name System (DNS) cache poisoning problem as well as a vulnerability within PostScript font names.

The Security Update 2008-006 and Mac OS X v. 10.5.5 security update fixed roughly 35 bugs, including issues with open source components and a login password glitch.

DNS cache poisoning is a major vulnerability first revealed in July by Dan Kaminsky and it affects all operating systems, said Rami Habal, director of product marketing at email security firm Proofpoint.

Apple resolved a DNS problem in its implementation of libresolv, which provides translation between host names and IP addresses for applications that use the unicast DNS resolution API found in Libresolv.

This summer, Apple patched its version of the Berkeley Internet Name Domain (BIND) DNS server for the cache poisoning problem.

The DNS vulnerability enables hackers to manipulate the IP address and send users to a spoofed page of a legitimate site, Habal told SCMagazineUS.com on Tuesday.  

“The fake site looks like the real site,” Habal said, “and tricks users into providing personal information.”

Another important patch fixes a flaw in Apple Type Services' handling of PostScript font names, according to the Apple Support website. Viewing a document that contains a malicious font may lead to arbitrary code execution.

“If somebody were to create a specially crafted PostScript document on a website, a user could open the document and leave it vulnerable to an attacker to load malicious software on your computer,” John Pescatore, analyst at Gartner, told SCMagazineUS.com. “That enables trojan horse fonts to be installed.”

Pescatore added that these patches are fairly complicated, but there is disappointment that Apple didn't provide the patches sooner.

“These were serious flaws that took a pretty long time to fix,” he said.

Apple did not respond to a request for comment.

See original article on scmagazineus.com
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
anotherapplednsfixessecurityvulnerability

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?