Apple released updates to fix at least 17 different security holes in its OS X operating system and other software late Thursday, including a patch for the domain name system (DNS) vulnerability that many other affected vendors addressed nearly three weeks ago.
Security Update 2008-005 patches a serious flaw in the DNS that could allow hackers to hijack users' Internet connections or silently redirect them to counterfeit Web sites. Cisco, Microsoft, Sun Microsystems and a host of Linux projects pushed out a coordinated fix for the flaw on July 8, when it was first disclosed, and Apple immediately took heat for not releasing its patch then as well.
My guess is that Apple planned all along to release its patch this week or early next. Dan Kaminsky, the researcher who discovered the DNS flaw and helped coordinate the release of the patches to fix it, tried to withhold details about how the flaw might be exploited until his scheduled talk at next week's Black Hat hacker convention in Las Vegas. That plan obviously fell apart more than a week ago, when other researchers posted details online showing precisely how to exploit the vulnerability.
Updates are available for Mac OS X v10.4.11, Mac OS X Server v10.4.11,Mac OS X v10.5.4, Mac OS X Server v10.5.4, via Software Update or Apple Downloads.
If you have questions about these patches, the DNS vulnerability or other related computer security questions, join me today at 11 a.m. ET for my regularly scheduled online discussion.
