Apple Gives mDNSResponder Security Update; Credits Montreal Hacker
Apple has published an updated support document detailing a security update for mDNSResponder, “the low-level open source software that implements Bonjour in Apple and third-party products.” Bonjour allows for discovery of devices and services on your network, such as setting up printers and file sharing servers.
The company clarifies all current versions of Apple products use the updated version of Bonjour, while older versions will require a security update.
These are the platforms affected:
- Versions prior to OS X El Capitan v10.11.1
- Versions prior to OS X Yosemite v10.10.5 with Security Update 2015-004 Yosemite
- Versions prior to OS X Mavericks v10.9.5 with Security Update 2015-007 Mavericks
- versions prior to iOS 9.1
- versions prior to watchOS 2.1
AirPort Base Station Firmware
- versions prior to 7.7.7 and 7.6.7
Apple says it has “coordinated” with numerous vendors to ensure they are aware of the availability of these security updates.
As for the recent AirPort Base Station Firmware Updates 7.6.7 and 7.7.7, Apple explains it closed a loophole where “A remote attacker may be able to cause arbitrary code execution,” due to “A memory corruption issue [that] existed in DNS data parsing.”
The problem was fixed “through improved bounds checking,” and is credited to Alexandre Helie for discovering the security hole.
Back in January, TVA Nouvelles reported Helie, a 21-year old hacker from Quebec, reported the discovery of three security exploits to Apple, which he says the iPhone maker then called him and asked not to publish the findings.
Helie said he believed at the time Apple would offer him a ‘bug bounty’, a monetary reward to hackers for discovering exploits and reporting them. However, Apple did not pay the gifted student, but rather flew him out on a trip to their Cupertino headquarters.
Here, Helie met teams and discussed potential employment, and when he returned home to Montreal, received two job offers from Apple, agreeing to work with a team that tests core operating systems before they are made public.
As Helie was not eligible for a work visa in the U.S. yet, he is said to work for Apple in Vancouver for a year first, before relocating to Cupertino.