Apple released Security Update 2008-006 fixing a number of issues in the underlying components of the Mac operating system. This update was included in Mac OS X 10.5.5 released last night, so there is no need to download the update if you installed 10.5.5.
Among the changes are two fixes for DNS cache poisoning. One of the components susceptible to this problem is libresolv, which provides translation between host names and IP addresses. The other component, mDNSResponder, was also susceptible to cache poisoning. Both of these have been updated implementing source port and transaction ID randomization.
A couple of changes were made to the login window. In one instance a user may be able to login without providing a password. In some instances, with the guest account enabled and a failed attempt to login, a user could login as any user without providing a password.
The second login window change protects a users password from being changed. If a user is required to change their password in the login screen and it fails an error message is displayed. Because the current password is not cleared, a user could gain access to the account. The update clears the password in the error message.
A change has been made to the VNC password viewer to show the actual limit of eight characters. Previously the password viewer would display more than eight characters, giving the user the impression that all characters were being used.
Time Machine backups have been updated, protecting users information. When a backup is done several log files are saved to the backup drive with read permission. This could allow other users to view the files.
Security Update 2008-006 for PowerPC, Intel and Server is available for download from Apple’s Web site.