Agreed. As one example, the latest batch of Apple's security updates
includes these two:
[begin quote]
BIND
Available for: OS X Lion v10.7 to v10.7.4,
OS X Lion Server v10.7 to v10.7.4
Impact: A remote attacker may be able to cause a denial of service
in systems configured to run BIND as a DNS nameserver
Description: A reachable assertion issue existed in the handling of
DNS records. This issue was addressed by updating to BIND 9.7.6-P1.
This issue does not affect OS X Mountain Lion systems.
CVE-ID
CVE-2011-4313
BIND
Available for: OS X Lion v10.7 to v10.7.4,
OS X Lion Server v10.7 to v10.7.4,
OS X Mountain Lion v10.8 and v10.8.1
Impact: A remote attacker may be able to cause a denial of service,
data corruption, or obtain sensitive information from process memory
in systems configured to run BIND as a DNS nameserver
Description: A memory management issue existed in the handling of
DNS records. This issue was addressed by updating to BIND 9.7.6-P1 on
OS X Lion systems, and BIND 9.8.3-P1 on OS X Mountain Lion systems.
CVE-ID
CVE-2012-1667
[end quote]
If you had your computer set up to act as a DNS server, it was
vulnerable to these issues. The packet which could have potentially
triggered them would have come in via a connectionless protocol (UDP),
using port 53, so if your firewall was only blocking incoming TCP
connections, it would not help.
Of course, having a firewall block all access to the DNS server you are
running would defeat the purpose of running the server in the first
place, but a selective firewall which reduced the potential sources of
DNS packets would have reduced the risk of striking this issue.
There could easily be other issues with UDP-based conectionless
protocols, such as Bonour (multicast DNS), but I didn't spot any Apple
has fixed in the last couple of years (since I started getting Apple's
security notifications via e-mail).
--
David Empson
dem...@actrix.gen.nz