Click here to receive your FREE subscription to Campus Technology
News
Apple Reacts to Spoof Threats, Issues DNS Hotfix
8/4/2008
|
|
Apple Inc. took action Friday to address the infamous Domain Name System (DNS) problem. And none too soon.
Last week saw a DNS server exploit divert AT&T Internet service users in Austin, Texas. The DNS trouble, which caused users to be sent to a bogus Web page, occurred more than a week after Microsoft issued its own warning about the dangers of a weak DNS framework.
In response to the threat, Apple released Security Update 2008-005, saying that its latest hotfix protects open scripting architecture libraries from certain vulnerabilities. If left unfixed, a hacker or internal enterprise user might leverage the exploit to "execute commands with elevated privileges."
On the whole, the patch addresses the DNS issue by implementing what the company calls "source port randomization to improve resilience against [DNS] cache poisoning attacks."
The patch is for Mac OS X Server 10.4 and 10.5, as well as for Mac OS X 10.4.11 and 10.5.4 operating systems.
For Mac OS X v10.4.11 systems, the Berkeley Internet Name Domain (BIND) is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. The hotfix also closes the script-based local privilege escalation vulnerabilities in the MAC for Windows programs.
Apple responded to one of this year's most controversial security issues in issuing the hotfix, but there is already some push back. Security researcher Swa Frantzen, who works at the SANS Internet Storm Center, asserted that the hotfix is incomplete. Apple's fix hasn't quite done the trick.
"Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the [Internet] Protocol weakness," Frantzen wrote in a blog post on Friday.
The issue appears to be that, despite Apple's patch, BIND under OS X is incrementing the ports it uses to communicate DNS information in a predictable instead of random pattern.
Recommended Reading
- Beck Technology Donates DProfiler to Colleges, Universities
Beck Technology recently announced that it will donate its DProfiler software platform to colleges and universities for use in construction-related coursework.
- Microsoft Adds Gen 4 Datacenters for Cloud Computing
Microsoft is initiating the fourth in a series of datacenter upgrades to enable its cloud computing services, according to a Microsoft blog post Tuesday. And, like everything else in the software world, being highly modular is a good thing.
- Can You Operate as a Virtual Being?
Now that we are conducting at least a part of our business of education virtually and often meeting in virtual environments, let's explore the really big question for academics in a Web 2.0 era...
- Columbia Center To Smooth Web Operations with Collaboration Suite
A college or university without a Web site is inconceivable today, but with every site comes the challenge of managing content. Some sort of automated system is a given, but how much should the site's content management system integrate with other aspects of the campus computing infrastructure?
- IBM's Pass It Along: Mapping Memes Toward A Learning Organization
How IBM's new release is following through on old challenges... big ones.
- North Idaho College To Provide Accessible Lecture Recordings for Disabled Students
North Idaho College will be implementing a new classroom capture system as part of an effort to provide accessible education to students with disabilities. The college will be using SpeakerBox from ClearSky Systems for the lecture capture program beginning in January 2009.
