Security Update 2008-005 Released

[MacRumors]

Apple has released Security Update 2008-005 via Software Update. The update patches several vulnerabilities including a much-publicized DNS/BIND server vulnerability where an attacker could cause a Mac OS X DNS server to direct clients to forged websites.

The update is available for Mac OS X Server 10.4, Mac OS X 10.4.11, Mac OS X Server 10.5, and Mac OS X 10.5.4.

Article Link

 

[macbookairman]

darn it. requires a restart.

installed, working fine.

 

[WoFat]

Oh the humanity! A Restart! (insert head shake here)

 

[balwx]

Also 65.1mb on my macbook... thanks

 

[alphaod]

First restart in weeks!

So this prevents the publicized IP issues?

 

[jmadlena]

Goodie. I love updating; always makes me feel a bit better. I don't know if my activities are susceptible to the DNS flaw, but I love knowing that it is fixed*.

*At least until someone finds a new exploit.

 

[dadoc04]

Got it. Thanks 4 the heads up guys.

 

[scotty56]

I feel safer already 😎

 

[macbookairman]

Oh the humanity! A Restart! (insert head shake here)

haha. i hate restarting. i'm always in the middle of something important when a software update comes that requires a restart. (and i can't resist the urge to install the update)

 

[cgtyoder]

It's about time

Better late than never, I guess.

Embarrassing that MS had this fixed a month ago.

 

[majordude]

That's sorta strange... an update at 8:00PM PST? 😕

 

[Auzburner]

Took 3 minutes to find, read, install and restart. Complete. ]

PS - Where'd all of the Home Depot ads come from?

 

[tfongg37]

Good update. Security updates are always good. Hope iPhone 2.1 comes out ASAP. im sick of the 10 minute backups.

 

[encro]

That's sorta strange... an update at 8:00PM PST? 😕

Security Update 2008-005 was released just hours after high profile articles such as:
http://www.macworld.com/article/134793/2008/07/apple_dns.html

The Press has been all over this since all but Apple had released a critical DNS update. Not strange, it's possibly just Apple's PR trying to implement damage control regarding their security reputation. There are other security issues that were resolved also ( see http://support.apple.com/kb/HT2647 ) so it may just be a coincidence with regards to timing.

 

[Nermal]

It didn't appear for me until I installed iTunes 7.7.1 😕

 

[sam10685]

darn it. requires a restart.

installed, working fine.

Your mad because you had to restart your computer? What's that... 20-30 seconds? Yeah... I'd hate to see what happens if the computer ever needed to be turned COMPLETELY off.

 

[Eric S.]

darn it. requires a restart.

Wouldn't be much of a security update if it didn't. 😉

 

[shawnce]

Embarrassing that MS had this fixed a month ago.

Yeah good response time on MS part however the patch has had a few side effects (all correctable via registry modification IIRC)...

http://support.microsoft.com//kb/956189

Lets hope the BIND related side effects are minimal for Mac OS X server users and those that use BIND on Mac OS X (doubt many have the volume to hit the known performance issue in the P1 update)

 

[branjosef]

I feel safer already 😎

Me too. My security update was "ribbed" for my pleasure 🙄

 

[branjosef]

Better late than never, I guess.

Ah brings back memories ...😉

 

[macbookairman]

Your mad because you had to restart your computer? What's that... 20-30 seconds? Yeah... I'd hate to see what happens if the computer ever needed to be turned COMPLETELY off.

i was in the middle of some important stuff. shheeesh. and i wasn't mad. i just said darn it.

 

[Elektronkind]

Please note that the DNS vulnerability does not directly affect DNS clients per se, but is in DNS *servers*, which the multitude of you are not running. If you are running a DNS server (named) on your Mac, you likely know that you are since it would take manual setup to get running.

This vulnerability in DNS servers *can* affect clients in that a server with a dirty DNS cache can pass the wrong data back to the requesting client... but this isn't the client's fault. It's the server's fault, which this patch addresses.

This distinction is important, and would otherwise probably be lost on the majority of the crowd here.

That said, you should probably install this eventually (and you eventually will via OSX update or this small one anyway) but don't get in a tizzy if you can't do it right this moment.

 

[sebastianlewis]

I feel safer already 😎

The BIND bug probably doesn't affect you unless you have it enabled.

Sebastian

 

[janey]

The Press has been all over this since all but Apple had released a critical DNS update. Not strange, it's possibly just Apple's PR trying to implement damage control regarding their security reputation...

Security reputation? What security reputation? 😀

Honestly, shame on Apple. They're selling a server OS. They should have had this patch ready earlier, especially because Kaminsky let them in on the issue like he did with MS and ISC and Cisco *before* the multivendor patch release date. I was personally shocked to see absolutely no statement from Apple whatsoever that day. The response to my radar bug filed with Apple Product Security was insane.

At least it's available. As far as I know, my ISP hasn't yet even considered it, so I'm using OpenDNS for the time being.

 

[Bob Knob]

Took 3 minutes to find, read, install and restart. Complete. ]

PS - Where'd all of the Home Depot ads come from?

I think the Home Depot ads are a great sign that macrumors has reached a audience big enough to pull down mainstream advertisers!