Mac OS X Security Update 11/21/2002

MacRumors

macrumors bot
Original poster
Apr 12, 2001
46,782
8,957
In your Software Update:

This Security Update fixes potential vulnerabilities introduced in BIND, the domain server and client library software package from Internet Software Consortium (ISC), that is shipped with Mac OS X and Mac OS X Server. BIND version 8.3.4 addresses the recently-discovered potential vulnerabilities where an unauthorized person may disrupt the normal operation of the DNS name service. BIND is not activated by default on Mac OS X or Mac OS X Server.
 

foniks2020

macrumors regular
Apr 19, 2002
168
0
BIND in summary

BIND is the most popular UNIX software for broadcast and resolution of domain names, ie: it tells your mac that the www address www.apple.com should resolve to the IP address 17.254.3.183.

BIND is included in OS X as a way to run your own DNS system... if you feel the need or would like to set up custom resolution tables for an internal network (most useful for the latter).

So if you have say ten machines on your home LAN and you want to have each run a web site or ftp or whatever and you don't want to have to use the IP address but woud rather call them by a name ie: iMac.myhome.net you can use BIND to do this.
 

MacBandit

macrumors 604
It does mention that Bind is not activated by default in OSX. So that must mean that this is just to cover there buts in the off chance that someone is using it.

Good to see Apple is looking out for everyone not just those using the default system options.
 

e-coli

macrumors 68000
Jul 27, 2002
1,837
801
Originally posted by Hemingray
I just gotta ask... who the heck voted this update as NEGATIVE? :rolleyes:
well, at least it's better than microsoft. they've had 65 security vulnerabilities and updates this year alone!

so...it's no so negative.
;)
 

peterjhill

macrumors 65816
Apr 25, 2002
1,095
0
Seattle, WA
Apple does not develop BIND, the ISC does. It is a very important update. Even if there were only ten mac users running BIND, Apple would get alot of heat for extending this patch any longer. The fix has been out for a few months, I believe. Also, BIND is not open source, I believe. The ISC has very strict rules on access to their source code. You have to sign an NDA, and pay them some money, not much, but some, like $100 a year for an individual.
 

henryblackman

macrumors member
Nov 23, 2002
52
0
Kinda Right

BIND 8.3.4 was released November 16, so the update has been out only a few days. I think that's acceptable for porting reasons. Also this fix is PROACTIVE, unline MS's REACTIVE fixes. MS seems only to fix a problem when there is a well-publicised attack on it.

BIND is not open-source, but the source code is downloadable. Also, while it might not be activated, what Apple neglected to tell us is that the libraries it installs are well used. BIND libraries, on any Unix-type system, are used for DNS-lookup. Depending on what the vulnerability was, Mac OS X could have been vulnerable too.
 

Wry Cooter

macrumors 6502
Mar 10, 2002
418
0
Re: Kinda Right

Originally posted by henryblackman


BIND is not open-source, but the source code is downloadable. Also, while it might not be activated, what Apple neglected to tell us is that the libraries it installs are well used. BIND libraries, on any Unix-type system, are used for DNS-lookup. Depending on what the vulnerability was, Mac OS X could have been vulnerable too.
But this update patch is not a concern for those Mac OS X users who are not using their macs as servers in anyway, correct? It is only important for those serving content to the web from their macs, or their mac network, (or serving via IP within their network), not those using their macs primarily as passive clients to the web, no?
 

henryblackman

macrumors member
Nov 23, 2002
52
0
Like I said, BIND libraries are used for DNS lookup (resolver libraries). I have just checked what the vulnerabilities are, and no, Mac OS X is not vulnerable unless running BIND for DNS resolution as a SERVER. Users who have not turned on DNS serving will be fine without the update.
 

DOUBLEADESIGN

macrumors newbie
Jul 2, 2002
16
0
Chicago
Negatives

I think the negatives were all accidents. I clicked on it because I thought it would take me to the negatives posts (moron, I know). so, there is your mysterious growing number of negative ratings!
 

Performfreak

macrumors member
Jul 17, 2002
56
0
Cedar Falls/Des Moines, IA
weird

I don't know why this is, but after installing this program, I've found my GUI to be much more responsive (i.e. genie effect, windows, etc). Granted, that I had to restart my computer which I don't do often, when I do restart I never noticed such an increase in GUI response. Anyone know why this would have occurred?
 

Wry Cooter

macrumors 6502
Mar 10, 2002
418
0
Re: weird

Originally posted by Performfreak
I don't know why this is, but after installing this program, I've found my GUI to be much more responsive (i.e. genie effect, windows, etc). Granted, that I had to restart my computer which I don't do often, when I do restart I never noticed such an increase in GUI response. Anyone know why this would have occurred?
This is not unusual. Even if the new code itself does not provide faster OS response, the act of installation and restarting does a hell of a lot of housekeeping, clearing a cluttered house which may have been slowing down things. And there was probably quite a bit of such work to do if you haven't shut down in some time.
 

MacBandit

macrumors 604
Re: Re: weird

Originally posted by Wry Cooter


This is not unusual. Even if the new code itself does not provide faster OS response, the act of installation and restarting does a hell of a lot of housekeeping, clearing a cluttered house which may have been slowing down things. And there was probably quite a bit of such work to do if you haven't shut down in some time.

Not to mention it probably performed a system bind which would help things out greatly if you never restart or never install new cocoa apps that take advantage of the Apple installer.

If installing this improved things I would highly recommend to anyone to start off the original 10.2 boot disk and do a permissions repair. This will also greatly improve system responsiveness for most of you.
 

dc396

macrumors newbie
Nov 25, 2002
1
0
BIND _is_ open source

A couple of people have stated BIND is not open source. This is wrong. BIND uses a modified Berkeley license that permits any and all use as long as you don't remove ISC's copyright or blame ISC if the software causes your computer to explode. For more information on BIND, see http://www.isc.org.

I suspect the previous posters got confused due to ISC's "BIND Forum" and the fees associated with that forum. Membership in the BIND Forum, which costs a varying amount depending on the size of the organization, allows early access to BIND security advisories. It has nothing to do with source code availability.

With respect to the security update, BIND version 8 (which ships with MacOS X, like pretty much every other version of Unix) was vulnerable if you enabled recursive DNS service locally. The particular vulnerability the update addresses has nothing to do with libraries.