Apple's DNS patch coming up short
The distance between good intentions and actual results seems to be getting longer and longer. While Apple did release a security patch yesterday that included a fix to BIND for the highly publicized cache poisoning exploit -- some time after most other vendors got updates out to customers -- that fix doesn't seem to be, you know, actually working.Multiple sources have noted that Apple's DNS patch, at least on Mac OS X 10.4 and 10.5 client versions, isn't implementing the key feature that's meant to block cache poisoning: port randomization on requests. While the same version of BIND running on Linux systems behaves as expected, Mac OS X machines doggedly issue DNS requests on sequential ports, making them far more vulnerable to spoofing by malicious folk.
This may seem like an esoteric vulnerability, and indeed for most Mac users the more important question is whether or not your ISP or network manager has patched the primary DNS servers you rely on (you can check your DNS server status via Dan Kaminsky's tool here). The behavior of Apple on this security issue, however, is very troubling. Waiting weeks to issue a patch for a key vulnerability and lagging behind other OS vendors is bad enough; shipping that patch only to have the user community discover that it doesn't work worth a bucket of warm spit ... that's not the act of a company that claims to care deeply about the security of its customers.
Update: Kaminsky suggests that we lighten up; Mac OS X Server (which would be the most vulnerable to attack, if it serves as the primary DNS for your network) has been patched, even if the client patch isn't behaving properly yet.
Share
The distance between good intentions and actual results seems to be getting longer and longer. While Apple did release a security patch...
Add a Comment
What is this? Fox News? Dan called you out, the least you could do is post his response at the top of your article, you know, like any responsible journalist would do.
Oh wait. My bad, all the responsible people have left TUAW already..
Most likely Dan was referring to Ryan Naraine, SANS or ComputerWorld, not this post (see the multiple links in the post for the sources). Don't think he reads TUAW, but I could be wrong.
August 02 2008 at 10:58 PM Report abuse Permalink rate up rate down ReplySeriously?
WHO CARES who Dan is talking about. The fact of the matter is you wrote a non-article and then, right at the bottom, stick an update link that refutes pretty much every sentence you wrote above.
If you're wrong, suck it up and say so at the top of the post. Don't bury it at the bottom.
Apple sucks at security. Film at 11. Anyone who knows crap about Safari knows its filled with vulnerabilities and holes that you could drive a truck through.
Apple willfully ignores them; and eventually they'll get seriously burned by this. But they won't change their behavior until they are forced to do so.
And as long as there's a massive base of people who flame anyone who says differently; the openly-discussed vulnerabilities and willful display of arrogance won't change.
http://www.infoworld.com/article/08/05/16/Apple-dismisses-Safari-download-issue_1.html
Hyperbole! "drive a truck through"? No, that simply is exaggeration.
There is some serious crap on this site about this whole deal.
According to my info, Apple has patched the server dns issue - so I DONT agree with TUAW.
Little bit of hysteria going on here - calm the f**k down.
This problem has been around for many YEARS, so lets not get hysterical boys and girls.
Hyberbole?
When Apple makes on-the-record statements that fixing carpet-bombing vulnerability in its product is a "feature enhancement" it's pretty much an on-the-record fact.
How about the fact that vulnerabilities in Safari allow someone to own your computer in 30 seconds:
http://www.builderau.com.au/news/soa/Apple-s-Leopard-hacked-in-30-seconds/0,339028227,339287733,00.htm
Or the fact that Apple is demonstrably laggard in its provisioning of security updates for known vulnerabilities:
http://www.macworld.com/article/132730/2008/03/zero_day_blackhat.html
Apple delivers good products, great user-experiences, and brilliant marketing...but they haven't yet emphasized security in the way other platforms have; and the evidence will continue to mount.
I just ran the update mentioned and it trashed dashboard. Dashboard crashes repeatedly now. Anyone else?
August 01 2008 at 9:15 PM Report abuse Permalink rate up rate down ReplyIf you're running OS Server 10.3.9 then the update for DNS is NOT out yet.
August 01 2008 at 7:46 PM Report abuse Permalink rate up rate down ReplyLast week Comcast was still open and unpatched. Good thing I've been using OpenDNS for the past several years. They were on top of it rather quickly.
August 01 2008 at 7:29 PM Report abuse Permalink rate up rate down ReplySolution:
sudo echo "" > /etc/resolv.conf
How hard was that?
Actually, that patch is still buggy. Do not try it.
August 01 2008 at 7:27 PM Report abuse Permalink rate up rate down ReplyCan't tell you if it worked for me but my ISP has patched their servers.
August 01 2008 at 7:07 PM Report abuse Permalink rate up rate down ReplyIf I understand the issue correctly, unless you use your personal mac as a DNS you would not know if the patch did anything or not. I suspect most, if not all, DNS servers provided by ISPs, or openDNS, have already been patched. My personal mac showed no vulnerability before _or_ after the patch was released; my ISP had patched their servers previously.
August 01 2008 at 7:02 PM Report abuse Permalink rate up rate down ReplyDNS poisoning is a security vulnerability for DNS Servers. It does not affect 99% of Mac users since they do not run DNS servers but their ISP's do.
If your ISP is NOT properly patched, it may be possible for a bad guy to poison the DNS and successfully launch a phising attack against any of the ISP's customers (ie YOU!). e.g. Your browser says you are viewing www.amazon.com but you are actually viewing www.badguy.com. If you try to buy something and give your Credit Card number, kiss that credit card number goodbye.
Over the last year, Apple's track record for patching security holes has been TERRIBLE IMHO. Apple is often one of the slowest vendors to patch vulnerabilities This slow response is a bug concern especially for those who run Mac OS X Server. If I was running a Mac Server, I would seriously be thinking of switching to Linux or BSD.
Hmm. Maybe it is time for Linux-Mac server ads (like the Mac-PC desktop ads) which poke fun at Apple (at least for their server OS)!
It's also a thread for clients - it's just as easy for your local cache to be poisoned as the ISPs one.
The difference is it would only affect one machine rather than thousands, so is less likely to be targeted. I can think of scenarios where someone would do it though.
the patch seemed to work for me on an intel imac and a powerpc mac mini
August 01 2008 at 6:48 PM Report abuse Permalink rate up rate down ReplyAre you testing your DNS server or your own machine? Big difference ya know.
August 01 2008 at 7:26 PM Report abuse Permalink rate up rate down ReplyHot Apps on TUAW
Deals of the Day
more deals- miFrame Picture Frame Dock for iPad for $64 + $8 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
- Hannspree Apple-Shaped 28" 1080p LCD HDTV for $270 + free shipping
- Philips wOOx Alarm Clock Radio for Apple iPod / iPhone for $60 + free shipping
- iWatchz Elemetal Collection Bracelet for iPod nano for $75 + free shipping
- iFrogz Luxe Lean Hard Case for iPod touch for $10 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
20 Comments