Apple finally patches dangerous DNS flaw

Apple has at last issued a patch for the DNS flaw  considered one of the most dangerous vulnerabilities ever to affect the Internet.

On Friday, Apple posted a security advisory saying that the patch will fix Apple's implementation of the Berkeley Internet Name Domain (BIND) DNS server in Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, and Mac OS X Server v10.5.4.

The DNS flaw allows an attacker to execute a cache poisoning attack, where traffic to a legitimate domain name is redirected to a malicious one after an attack on a DNS server. The user can type in the correct name for a Web site, but get a fake one instead, which can enable a phishing attack. While some users might notice if they're directed to a odd-looking Web page, many people could be successfully fooled.

Apple is among a handful of companies that security experts have said moved far too slow in reacting to the DNS bug. Other vendors, including Cisco and Microsoft, had patches ready when the existence of the flaw was disclosed  on July 8. But some network administrators have reported compatibility problems with those early patches.

ISPs and major vendors with either DNS software or DNS services applied patches after the flaw's discoverer, security researcher Dan Kaminsky, coordinated a secret patching effort.

Details of how to exploit the flaw were eventually leaked on July 21, making those with still-unpatched systems especially vulnerable.

Many ISPs still have not patched their systems, and Kaminsky said those companies are moving far too slow given the danger the vulnerability poses. Some attacks have been reported.

Apple has also wrapped a dozen other fixes in the security update. The fixes can be downloaded individually or the "software update" feature can be used in OS X to download the whole batch.