A patch that will fix the Berkeley Internet Name Domain (BIND) DNS server flaw has been released by Apple.
Apple announced the release of the fix in a security advisory saying that the patch would fix the vulnerabilities Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4 and Mac OS X Server v10.5.4.
The DNS flaw allows an attacker to execute a cache poisoning attack, where traffic to a legitimate domain name is redirected to a malicious one after an attack on a DNS server. The user can type in the correct name for a website, but get a fake one instead, which can enable a phishing attack. While some users might notice if they're directed to an odd-looking webpage, many people could be successfully fooled.
Apple is among a handful of companies that security experts have said moved far too slowly in reacting to the DNS bug. Other vendors, including Cisco and Microsoft, had patches ready when the existence of the flaw was disclosed on July 8. But some network administrators have reported compatibility problems with those early patches.
ISPs and major vendors with either DNS software or DNS services applied patches after the flaw's discoverer, security researcher Dan Kaminsky, coordinated a secret patching effort.
Details of how to exploit the flaw were eventually leaked on July 21, making those with still-unpatched systems especially vulnerable.
Many ISPs still have not patched their systems, and Kaminsky said those companies are moving far too slow given the danger the vulnerability poses. Some attacks have been reported.
Apple has also wrapped a dozen other fixes in the security update. The fixes can be downloaded individually or the 'software update' feature can be used in OS X to download the whole batch.