Latest Apple Security patch addresses DNS flaw, other issues

HangZhou Night Net

Apple has released Security Update 2008-005. In addition to several other security issues, it most notably addresses a serious flaw in the DNS server included in Mac OS X. BIND is updated to version 9.4.2-P1, the same version that was recommended by TidBITS's Glenn Fleishman in his how-to that we mentioned yesterday. Also, a flaw has been fixed in Open Scripting Architecture that allowed applications with elevated privileges to execute arbitrary scripts and commands as root. This fix addresses previously-reported security issues with ARDAgent, part of Apple Remote Desktop.

The update addresses potentially serious security issues with several components of Mac OS X, including CoreGraphics, Carbon long-filename handling, Data Detectors, Disk Utility, and an issue with QuickLook and certain Microsoft Word files. For security reasons, several open-source components included in Mac OS X have also been updated to the latest stable versions, including OpenLDAP, OpenSSL, PHP, and rsync.

Yesterday, Macworld's John C. Welch took Apple to task for taking so long to address the DNS flaw, especially since Apple had been notified about the issue two months before the flaw was made public on July 8. By then, Apple was the only OS vendor that had not issued a patch. Whatever the reason for the delay, Welch rightfully criticized Apple for not communicating its plans to address the problem. "Even if the patch is released today, that’s not going to be enough," he wrote. Apple has come a long way in improving its response to security issues in its software, but this incidence demonstrates that Apple still has a long way to go to earn the trust of IT professionals.