Security Update 2009-004, Apple’s latest update to the domain name service (DNS) software found in client and server versions of Mac OS X 10.4 and 10.5, is critical – but affects only those people who have manually enabled Mac OS X’s DNS server.
This includes system administrators using the DNS server in Tiger Server or Leopard Server for name resolution where the DNS servers can be reached in any fashion from outside a local network. It also includes a very small number of people who like to monkey at the command line and happened to enable DNS on regular Tiger or Leopard systems.
The flaw that the update fixes could disrupt a network by allowing a remote attacker with no other access to a company’s network to kill a DNS server. It’s likely that Apple servers represent a nearly invisible fraction of all public-facing DNS servers worldwide, and thus few attackers would try to exploit this now-patched problem.
Security Update 2009-004 for Mac OS X and Mac OS X Server 10.4.11 and 10.5.8 has nothing to do with fundamental DNS flaws that Rich Mogull and I wrote about in “Apple Fails to Patch Critical Exploited DNS Flaw” (2008-07-24) and Adam Engst and I updated with “Apple Finally Fixes DNS Flaw and ARDAgent Vulnerability” (2008-08-01).
DNS still suffers from a fundamental design flaw that last year’s patches ignored – the problem is enormously harder to exploit but wasn’t eliminated. DNS’s security infrastructure has to evolve to embed cryptography in such a way that a request to turn a human-readable domain name into something else can’t be spoofed by an attacker.