Apple + Security & Privacy

Apple has just issued a security update for a serious flaw in the DNS server BIND, that is used by both client and server versions of Mac OS X. As Apple states in its security advisory,

A logic issue in the handling of dynamic DNS update messages may cause an assertion to be triggered. By sending a maliciously crafted update message to the BIND DNS server, a remote attacker may be able to interrupt the BIND service. The issue affects servers which are masters for one or more zones, regardless of whether they accept updates. BIND is included with Mac OS X and Mac OS X Server but it is not enabled by default. This update addresses the issue by properly rejecting messages with a record of type ‘ANY’ where an assertion would previously have been raised.

This bug was made public on July 29, and Apple obviously considers it serious enough to issue an update today correcting just this one vulnerability. While other sources say it is of low severity, Apple’s choice of issuing this security update now suggests that it might actually be more serious.

You can download the update via Software Update, and you can get more information here.