Skip to Content

Apple's DNS patch coming up short

The distance between good intentions and actual results seems to be getting longer and longer. While Apple did release a security patch yesterday that included a fix to BIND for the highly publicized cache poisoning exploit -- some time after most other vendors got updates out to customers -- that fix doesn't seem to be, you know, actually working.

Multiple sources have noted that Apple's DNS patch, at least on Mac OS X 10.4 and 10.5 client versions, isn't implementing the key feature that's meant to block cache poisoning: port randomization on requests. While the same version of BIND running on Linux systems behaves as expected, Mac OS X machines doggedly issue DNS requests on sequential ports, making them far more vulnerable to spoofing by malicious folk.

This may seem like an esoteric vulnerability, and indeed for most Mac users the more important question is whether or not your ISP or network manager has patched the primary DNS servers you rely on (you can check your DNS server status via Dan Kaminsky's tool here). The behavior of Apple on this security issue, however, is very troubling. Waiting weeks to issue a patch for a key vulnerability and lagging behind other OS vendors is bad enough; shipping that patch only to have the user community discover that it doesn't work worth a bucket of warm spit ... that's not the act of a company that claims to care deeply about the security of its customers.

Update: Kaminsky suggests that we lighten up; Mac OS X Server (which would be the most vulnerable to attack, if it serves as the primary DNS for your network) has been patched, even if the client patch isn't behaving properly yet.

Categories

OS Bad Apple Security

The distance between good intentions and actual results seems to be getting longer and longer. While Apple did release a security patch...
 

Add a Comment

*0 / 3000 Character Maximum

20 Comments

Filter by:
Paul

What is this? Fox News? Dan called you out, the least you could do is post his response at the top of your article, you know, like any responsible journalist would do.

Oh wait. My bad, all the responsible people have left TUAW already..

August 02 2008 at 9:56 PM Report abuse rate up rate down Reply
2 replies to Paul's comment
Michael Rose

Most likely Dan was referring to Ryan Naraine, SANS or ComputerWorld, not this post (see the multiple links in the post for the sources). Don't think he reads TUAW, but I could be wrong.

August 02 2008 at 10:58 PM Report abuse rate up rate down Reply
Paul

Seriously?

WHO CARES who Dan is talking about. The fact of the matter is you wrote a non-article and then, right at the bottom, stick an update link that refutes pretty much every sentence you wrote above.

If you're wrong, suck it up and say so at the top of the post. Don't bury it at the bottom.

August 02 2008 at 11:15 PM Report abuse rate up rate down Reply
RJHD3

Apple sucks at security. Film at 11. Anyone who knows crap about Safari knows its filled with vulnerabilities and holes that you could drive a truck through.

Apple willfully ignores them; and eventually they'll get seriously burned by this. But they won't change their behavior until they are forced to do so.

And as long as there's a massive base of people who flame anyone who says differently; the openly-discussed vulnerabilities and willful display of arrogance won't change.

http://www.infoworld.com/article/08/05/16/Apple-dismisses-Safari-download-issue_1.html


August 02 2008 at 1:17 AM Report abuse rate up rate down Reply
2 replies to RJHD3's comment
harrywolf

Hyperbole! "drive a truck through"? No, that simply is exaggeration.

There is some serious crap on this site about this whole deal.

According to my info, Apple has patched the server dns issue - so I DONT agree with TUAW.

Little bit of hysteria going on here - calm the f**k down.

This problem has been around for many YEARS, so lets not get hysterical boys and girls.

August 02 2008 at 1:48 AM Report abuse rate up rate down Reply
RJHD3

Hyberbole?

When Apple makes on-the-record statements that fixing carpet-bombing vulnerability in its product is a "feature enhancement" it's pretty much an on-the-record fact.

How about the fact that vulnerabilities in Safari allow someone to own your computer in 30 seconds:
http://www.builderau.com.au/news/soa/Apple-s-Leopard-hacked-in-30-seconds/0,339028227,339287733,00.htm

Or the fact that Apple is demonstrably laggard in its provisioning of security updates for known vulnerabilities:
http://www.macworld.com/article/132730/2008/03/zero_day_blackhat.html

Apple delivers good products, great user-experiences, and brilliant marketing...but they haven't yet emphasized security in the way other platforms have; and the evidence will continue to mount.

August 04 2008 at 2:07 AM Report abuse rate up rate down Reply
Greg

I just ran the update mentioned and it trashed dashboard. Dashboard crashes repeatedly now. Anyone else?

August 01 2008 at 9:15 PM Report abuse rate up rate down Reply
MBSkygazer

If you're running OS Server 10.3.9 then the update for DNS is NOT out yet.

August 01 2008 at 7:46 PM Report abuse rate up rate down Reply
Slartibartfast

Last week Comcast was still open and unpatched. Good thing I've been using OpenDNS for the past several years. They were on top of it rather quickly.

August 01 2008 at 7:29 PM Report abuse rate up rate down Reply
Roberto

Solution:
sudo echo "" > /etc/resolv.conf
How hard was that?

August 01 2008 at 7:24 PM Report abuse rate up rate down Reply
1 reply to Roberto's comment
Roberto

Actually, that patch is still buggy. Do not try it.

August 01 2008 at 7:27 PM Report abuse rate up rate down Reply
James

Can't tell you if it worked for me but my ISP has patched their servers.

August 01 2008 at 7:07 PM Report abuse rate up rate down Reply
Christian Schultz

If I understand the issue correctly, unless you use your personal mac as a DNS you would not know if the patch did anything or not. I suspect most, if not all, DNS servers provided by ISPs, or openDNS, have already been patched. My personal mac showed no vulnerability before _or_ after the patch was released; my ISP had patched their servers previously.

August 01 2008 at 7:02 PM Report abuse rate up rate down Reply
Rob

DNS poisoning is a security vulnerability for DNS Servers. It does not affect 99% of Mac users since they do not run DNS servers but their ISP's do.

If your ISP is NOT properly patched, it may be possible for a bad guy to poison the DNS and successfully launch a phising attack against any of the ISP's customers (ie YOU!). e.g. Your browser says you are viewing www.amazon.com but you are actually viewing www.badguy.com. If you try to buy something and give your Credit Card number, kiss that credit card number goodbye.

Over the last year, Apple's track record for patching security holes has been TERRIBLE IMHO. Apple is often one of the slowest vendors to patch vulnerabilities This slow response is a bug concern especially for those who run Mac OS X Server. If I was running a Mac Server, I would seriously be thinking of switching to Linux or BSD.

Hmm. Maybe it is time for Linux-Mac server ads (like the Mac-PC desktop ads) which poke fun at Apple (at least for their server OS)!

August 01 2008 at 6:53 PM Report abuse rate up rate down Reply
1 reply to Rob's comment
Tony

It's also a thread for clients - it's just as easy for your local cache to be poisoned as the ISPs one.

The difference is it would only affect one machine rather than thousands, so is less likely to be targeted. I can think of scenarios where someone would do it though.

August 02 2008 at 8:21 AM Report abuse rate up rate down Reply
Gordon Werner

the patch seemed to work for me on an intel imac and a powerpc mac mini

August 01 2008 at 6:48 PM Report abuse rate up rate down Reply
1 reply to Gordon Werner's comment
Slartibartfast

Are you testing your DNS server or your own machine? Big difference ya know.

August 01 2008 at 7:26 PM Report abuse rate up rate down Reply
Buy an ad here

Hot Apps on TUAW

Tweets

© 2012 AOL Inc. All Rights Reserved.