On July 31, 2008, Apple released an overdue patch for a major vulnerability in the way Mac OS X Server handles turning the names in Web sites and e-mail addresses into the numeric addresses used for connections. The vulnerability is a fundamental flaw in the Domain Name Service (DNS) protocol and affected all but a handful of DNS servers built into operating systems and released as stand-alone server software packages.

If exploited on an Internet service provider (ISP) or company's DNS server, an attacker would be able to redirect any user of that server to a destination of his or her choosing. Thus, while you might select Macworld.com from your bookmarks or type it into a browser's location field, and the browser shows you www.macworld.com in that Location field, you've actually downloaded the home page of a malicious website hosted by a bad guy who has loaded it with malware and phishing attempts.

Although Apple released a fix for all Macs running OS X 10.4.11 and 10.5.4 (Server and desktop, Intel and PowerPC, Leopard and Tiger), the fix only repaired the most vulnerable part of DNS, the server software, even on systems that don't use it. (The server software is installed, but not turned on, in the regular flavor of Mac OS X, and in OS X Server, DNS service has to be configured and activated.)

Client DNS software, used by an operating system to request a DNS lookup from a full-scale DNS server, is still at risk, but at a lower level and under more limited circumstances.

Understanding the vulnerability

Earlier this year, security researcher Dan Kaminsky accidentally discovered a major vulnerability in DNS--the protocol that translates the domain names we can remember (www.macworld.com) into the Internet Protocol (IP) addresses used by the software that powers the Internet (70.42.185.230). (Note: One of the authors of this article, Rich Mogull, worked with Kaminsky on preparing the announcement.)

To be more accurate, Kaminsky didn't discover a new vulnerability, but a new, lethally effective method to attack a known weakness in DNS. Known as cache poisoning, this class of attack allows an attacker to corrupt the database a DNS server holds in memory, and consults to provide details to users' systems when they request name-to-number lookups.

For more Mac news, visit Macworld. Story copyright Mac Publishing, LLC.