Apple fixes Bind exploit and Safari bugs

Apple has released fixes for a zero-day security hole in its products caused by an underlying flaw in the Bind internet server standard.

The Apple Bind patch addresses an issue that began being exploited in the wild last month, which could enable a remote attacker to crash servers that are masters of one or more zones. Security experts have warned that the Bind flaw is easily exploited.

In its advisory on Wednesday, Apple noted that Bind is included with Mac OS X and Mac OS X Server, but is not enabled by default. The update issued by Apple allows Mac OS X and Mac OS X Server to properly reject maliciously crafted messages, the company said. The versions affected are: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8 and Mac OS X Server v10.5.8.

Separately on Tuesday, Apple patched a series of bugs in Safari, including flaws in CoreGraphics, ImageIO and WebKit that could allow an attacker to compromise a system.

The Safari patches are available for Microsoft Windows XP and Vista, as well as Mac OS X and OS X Server. One patch addresses a bug that could allow a malicious website to promote itself to Safari's Top Sites view.

Independent security firm Secunia ranked the most serious of the Safari bugs as "highly critical".

The WebKit update patches a flaw that could allow the disclosure of sensitive information and an error that could allow the use of lookalike characters in a URL to disguise the true address of a website.

Apple's last update to Safari was last week, on 5 August, as part of a general update to Mac OS X. The update patched 18 bugs.