Twenty-four days after the rest of the industry mobilized to patch a serious flaw in the domain name system (DNS) protocol that’s core to the functioning of the Internet, Apple has at long last released Security Update 2008-005, which includes its fix for the regular and server flavors of Mac OS X 10.4 Tiger and 10.5 Leopard. If 24 days doesn’t sound like a long time, note that Apple was notified privately on 05-May-08, nearly 3 months ago, and this is for a vulnerability with significant exposure that had the potential to be disastrous for Apple’s business and hosting customers, as amply described in an opinion piece for Macworld by Mac system administrator John Welch.
This update also repairs the ARDAgent flaw first reported 18-Jun-08 that enables someone either with access to a computer as a regular user, or who could convince someone to download and run software containing a Trojan horse, to gain root privileges on the system.
(For details on the DNS flaw and Apple’s delayed response, see “Apple Fails to Patch Critical Exploited DNS Flaw,” 2008-07-24. For more about how the ARDAgent vulnerability could be exploited, see “How to Protect Yourself from the New Mac OS X Trojans,” 2008-06-25.)
You can download Security Update 2008-005 via Software Update (the easiest approach), or as standalone downloads for all versions of Mac OS X 10.5 Leopard (65 MB), for the desktop versions of Mac OS X 10.4.11 Tiger for PowerPC (88 MB) and Intel (143 MB), and for Mac OS X 10.4.11 Tiger Server for PowerPC (135 MB) and Intel (180 MB). While the Leopard update doesn’t explicitly state it works with Leopard Server, we checked Software Update on TidBITS’s Xserve running 10.5.4 Leopard Server and were prompted to install the same-sized and -named update as on a MacBook that uses Leopard’s 10.5.4 desktop release.
DNS Flaw Fixed — Those of you operating DNS servers via any version of Tiger or Leopard should immediately back up your current systems, make sure they have a good point to revert to in the case of failure, and install this security update. The same goes (with fewer potential repercussions) for all other Tiger and Leopard users.
Although we haven’t tested this update in a production situation where we’re answering DNS queries from servers all over the Internet, the update seems to have worked just fine on all the systems we’ve updated, including Leopard Server and a regular Leopard installation. Apple’s security updates have a generally good track record in performing as expected and not introducing new complications.
Tiger users will see Internet Security Consortium BIND (the DNS software Apple relies on) updated to 9.3.5-P1, and Leopard systems will move to 9.4.2-P1. The latest version of BIND software is 9.5.0-P1, but Apple hasn’t incorporated this update into Leopard.
Owners of systems running Mac OS X 10.3 Panther or earlier releases are still vulnerable, whether the systems are acting as recursive DNS servers that handle lookups from queries on the same computer or others, or merely as clients. The flaw is likely to be exploited on servers, but clients are still vulnerable. Servers can, at least, turn off recursion and forward requests to patched DNS servers, dramatically reducing the current risk profile. We’ll write more about this as we understand the scope of the concern for ordinary users of Panther and earlier systems. While there may not be many such people – The Omni Group’s operating system statistics show 57 percent of their users on Tiger, 42 percent on Leopard, and a vanishingly small 0.3 percent using other versions of Mac OS X – the last thing the Mac community needs is a small group of older systems being used as a springboard for new types of malware.
ARDAgent and Other Flaws Fixed — Security Update 2008-005 repairs a number of other serious-sounding flaws in Tiger and Leopard that don’t appear to have been exploited yet. As noted earlier, the update closes a hole that allowed the Apple Remote Desktop (ARD) daemon software, even when not running, to be used as a conduit to run a script that would allow a local user or malicious software installed by a local user to gain root access to a system.
The fix for ARDAgent (and similar programs) involves a change in the Open Scripting Architecture that prevents programs with system-level privileges from loading scripting additions, thus stopping attackers from using such software as a wedge for gaining system control.
The update also fixes a Disk Utility error that happens when you use Repair Permissions in 10.4.11. The terminal-based text editor emacs would be granted root privileges after permissions were repaired. The fix restores the correct controls within Disk Utility, but Apple doesn’t state whether you should re-run the repair operation. We imagine you should, if you have other local users on a system that’s running 10.4.11.
Also noteworthy is that Security Update 2008-005 installs PHP version 5.2.6 to address security flaws in the 5.2.5 release that was previously available in Leopard. PHP is widely used to power Web sites. Other potentially concerning but less-known problems were also fixed.
Serious Reputation Hit — As usual, we’ll never quibble with Apple releasing a security update, particularly one that fixes such serious vulnerabilities. But put bluntly, Apple blew it on this one – this update should have been released on 08-Jul-08 when the rest of the industry released their patches. Yes, Apple was busy with the iPhone 3G, iPhone software 2.0, and App Store launches, along with the .Mac-to-MobileMe transition (which itself turned into a debacle). It doesn’t matter – Apple had plenty of time and all they had to do was package up and perform normal stress testing of new versions of BIND. The BIND installation shows a creation date of 25-Jul-08, meaning that Apple didn’t finalize its update for testing until just a week ago.
Trust takes time to acquire, but it can be lost quickly. Apple has made much of Mac OS X’s security and, after a slightly rocky initial start with the earliest versions of Mac OS X, has been doing a generally good job of responding in a reasonably timely fashion to security threats. But to delay the release of the fix for such an important vulnerability was simply negligent, and it both infuriated Macintosh system administrators and damaged Apple’s reputation in the enterprise market.