The patch fixes an issue that would have enabled a remote attacker to cause a DNS server to unexpectedly terminate.
“A logic issue in the handling of dynamic DNS update messages may cause an assertion to be triggered,” said the Apple advisory (Security Update 2009-004). “By sending a maliciously crafted update message to the BIND DNS server, a remote attacker may be able to interrupt the BIND service.”
The BIND vulnerability first surfaced in July, and a fix was issued by the Internet Systems Consortium (ISC), a nonprofit that supports a number of internet software implementations. The vulnerability only affects servers that are the master system in a DNS zone.
“It's probably more of a threat to an OS X server than to everyday workstations,” Joel Esler, an incident handler with the SANS Internet Storm Center, told SCMagazineUS.com on Thursday in an email. “Since Apple runs the BIND DNS software, they are vulnerable to it.”
The recent flurry of updates from Apple highlights the pace of new security issues at every level.
“If you patch, you close that particular vulnerability,” Cricket Liu, vice president of architecture at DNS appliance vendor Infoblox, told SCMagazineUS.com on Thursday. “But, of course, this is a constant arms race – hackers find vulnerabilities and we have to patch our name servers as quickly as possible.”
“This is just the latest in a string of vulnerabilities that have been found in various name server implementations over the years,” he added.
The update, available for Tiger clients and servers, as well as the Leopard OS, can be downloaded here.
“All users should upgrade immediately, since there are exploits in the wild already,” Esler said.