Bonjour for Windows 1.0.5 patches two DNS vulnerabilities

Included within iTunes 8, the security patches are specific to Windows 2000, XP, and Vista users.

Robert Vamosi Former Editor

As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

See full bio

Robert Vamosi

Sept. 9, 2008 4:10 p.m. PT

Apple on Tuesday released Bonjour for Windows 1.0.5., patching the DNS vulnerabilities first reported by Dan Kaminsky of IOActive in July. Bonjour for Windows can be found within iTunes. Earlier on Tuesday, Apple released DNS patches for iPod Touch. Bonjour for Windows 1.0.5 may be obtained downloading iTunes 8.0 or from Apple Software Downloads.

mDNSResponder 1
This patch affects users of Windows Vista, XP SP2, SP3, 2003, and 2000. The update addresses null pointer reference issue in CVE-2008-2326. Apple says the problem within Bonjour Namespace Provider lies in resolving a maliciously crafted ".local" domain name containing a long DNS label. Doing so may cause an unexpected application termination. This issue does not affect systems running Mac OS X.

mDNSResponder 2
This patch affects users of Windows Vista, XP SP2, SP3, 2003, and 2000. The update addresses the vulnerability detailed within CVE-2008-3635. Apple explains that "Bonjour for Windows provides Zero Configuration Networking, Multicast DNS, and Network Service Discovery for Windows users. It's also possible to use the Bonjour API to issue conventional unicast DNS queries. A weakness in the DNS protocol may allow a remote attacker to spoof DNS responses. As a result, if there are applications that use Bonjour for Windows for unicast DNS, those applications may receive forged information. However, there are no known applications that use the Bonjour APIs for unicast DNS hostname resolution." This issue does not affect systems running Mac OS X.