From the
“
better late than never
”
files:
For some unknown reason, Apple did not have a patch available for the DNS flaw that Dan Kaminsky first announced more than two weeks ago, despite the fact that one was available for BIND (which is what Apple uses). Apple has finally gotten off its iPhone rich tail and now put out an official patch, saving users from a flaw that has been weaponized and exploited in the wild.
The BIND update is part of Apple security update 2008-005 which also includes fixes for PHP, OpenLDAP and OpenSSL.
Do you see a pattern here? Cause I sure do.
Apple uses a lot of open source software and that’s great. Apple also doesn’t seem to be offering its users the updated packages for some of those open source packages as quickly as they are actually available in the general community (not so great).
It sure would be easy pickings for hacker to just look at the open source apps running on a Mac, see what isn’t update and then go after vulnerabilities that have already been publicly exposed.