Apple released a firmware for their wireless router today that patches a critical vulnerability.
The flaw, a memory corruption issue stemming from DNS (Domain Name System) data parsing, allows arbitrary code execution, Macworld is reporting. The new firmware, 7.6.7 and 7.7.7, solves the issue. Fortunately, it appears Apple found the issue before anyone could exploit it.
“A memory corruption issue existed in DNS data parsing,” reads Apple’s security report on the update. “This issue was addressed through improved bounds checking.”
Apple didn’t offer a lot of details about the bug, or the fix, beyond those words. This is typical for the company, which prefers to wait until a thorough investigation is complete before revealing too much about security flaws.
Having said that, we can explain a little better what Apple means by an “issue in DNS data parsing”. DNS, if you don’t know, is the system by which your a web address (for example, “google.com”) is translated into an IP address (for example, “184.108.40.206”).
What’s that have to do with the Airport? When you try to open a web address, your computer or phone asks the local router for the IP address. In this way, the router is acting as a local DNS server. Your router, in turn, asks an external DNS server for the address, meaning it is acting as a DNS client.
Apple has not clarified which role the Airport plays, server or client, was causing the problem. Whichever role it was, it was bad enough to allow the execution of arbitrary code, which in security terms means an attacker could do whatever they wanted after exploiting the issue.
So if there’s one upgrade you don’t ignore, it’s this one. Go ahead and install that update now, and make sure the rest of your devices are up-to-date while you’re at it.
- Apple protects MacOS Sierra, El Capitan from Meltdown, lists Google bugs
- Microsoft’s Windows 7 Meltdown update granted access to all data in memory
- Blizzard patches security hole to block hackers from sending fake updates
- Microsoft misses another Edge-related 90-day security disclosure deadline
- AMD is working on fixes for the reported Ryzenfall, MasterKey vulnerabilities