Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals
4 comments

Security Update 2009-004 DNS Patch Applies to Few Systems

Security Update 2009-004, Apple’s latest update to the domain name service (DNS) software found in client and server versions of Mac OS X 10.4 and 10.5, is critical – but affects only those people who have manually enabled Mac OS X’s DNS server.

This includes system administrators using the DNS server in Tiger Server or Leopard Server for name resolution where the DNS servers can be reached in any fashion from outside a local network. It also includes a very small number of people who like to monkey at the command line and happened to enable DNS on regular Tiger or Leopard systems.

The flaw that the update fixes could disrupt a network by allowing a remote attacker with no other access to a company’s network to kill a DNS server. It’s likely that Apple servers represent a nearly invisible fraction of all public-facing DNS servers worldwide, and thus few attackers would try to exploit this now-patched problem.

Security Update 2009-004 for Mac OS X and Mac OS X Server 10.4.11 and 10.5.8 has nothing to do with fundamental DNS flaws that Rich Mogull and I wrote about in “Apple Fails to Patch Critical Exploited DNS Flaw” (2008-07-24) and Adam Engst and I updated with “Apple Finally Fixes DNS Flaw and ARDAgent Vulnerability” (2008-08-01).

DNS still suffers from a fundamental design flaw that last year’s patches ignored – the problem is enormously harder to exploit but wasn’t eliminated. DNS’s security infrastructure has to evolve to embed cryptography in such a way that a request to turn a human-readable domain name into something else can’t be spoofed by an attacker.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About Security Update 2009-004 DNS Patch Applies to Few Systems