Filed under: OS, Bad Apple, Security
Apple's DNS patch coming up short
The distance between good intentions and actual results seems to be getting longer and longer. While Apple did release a security patch yesterday that included a fix to BIND for the highly publicized cache poisoning exploit -- some time after most other vendors got updates out to customers -- that fix doesn't seem to be, you know, actually working.Multiple sources have noted that Apple's DNS patch, at least on Mac OS X 10.4 and 10.5 client versions, isn't implementing the key feature that's meant to block cache poisoning: port randomization on requests. While the same version of BIND running on Linux systems behaves as expected, Mac OS X machines doggedly issue DNS requests on sequential ports, making them far more vulnerable to spoofing by malicious folk.
This may seem like an esoteric vulnerability, and indeed for most Mac users the more important question is whether or not your ISP or network manager has patched the primary DNS servers you rely on (you can check your DNS server status via Dan Kaminsky's tool here). The behavior of Apple on this security issue, however, is very troubling. Waiting weeks to issue a patch for a key vulnerability and lagging behind other OS vendors is bad enough; shipping that patch only to have the user community discover that it doesn't work worth a bucket of warm spit ... that's not the act of a company that claims to care deeply about the security of its customers.
Update: Kaminsky suggests that we lighten up; Mac OS X Server (which would be the most vulnerable to attack, if it serves as the primary DNS for your network) has been patched, even if the client patch isn't behaving properly yet.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Tassia said 5:34PM on 8-01-2008
It works for me. Before the patch I did the test and it said I was vulnerable. Now the test tells me I'm safe.
Reply
simon said 5:42AM on 8-02-2008
Has anyone begun to think that maybe apple are starting to take on to much at once. Lets face it they make a massive mark up on their products to theres no need to rush products out at the rate they are. It's areas such as this where the cracks will start to appear.
Firmware 2.0 is buggy and slow
The app store is less perfect and dare i say it, it looks a little cheap
"Push" need I say anymore
And I wont even start on mobile me
I hope an apple sheif exec monitors this site comments and see how many negatives they are starting to get from their main fan base.
I bet microsoft used to be good a long time ago to.....is apple going the same way?
saycarramrod said 6:02PM on 8-01-2008
I consider myself to be somewhat knowledgeable in all things Apple, but this article went right over my head. Like the second paragraph makes no sense to me. I realize that this vulnerability may be an esoteric one, but there's no reason the article has to be as well.
Reply
Gordon Werner said 6:48PM on 8-01-2008
the patch seemed to work for me on an intel imac and a powerpc mac mini
Reply
Rubbinz said 7:26PM on 8-01-2008
Are you testing your DNS server or your own machine? Big difference ya know.
Christian Schultz said 7:03PM on 8-01-2008
If I understand the issue correctly, unless you use your personal mac as a DNS you would not know if the patch did anything or not. I suspect most, if not all, DNS servers provided by ISPs, or openDNS, have already been patched. My personal mac showed no vulnerability before _or_ after the patch was released; my ISP had patched their servers previously.
Reply
James Madley said 7:09PM on 8-01-2008
Can't tell you if it worked for me but my ISP has patched their servers.
Reply
RobK said 7:16PM on 8-01-2008
DNS poisoning is a security vulnerability for DNS Servers. It does not affect 99% of Mac users since they do not run DNS servers but their ISP's do.
If your ISP is NOT properly patched, it may be possible for a bad guy to poison the DNS and successfully launch a phising attack against any of the ISP's customers (ie YOU!). e.g. Your browser says you are viewing www.amazon.com but you are actually viewing www.badguy.com. If you try to buy something and give your Credit Card number, kiss that credit card number goodbye.
Over the last year, Apple's track record for patching security holes has been TERRIBLE IMHO. Apple is often one of the slowest vendors to patch vulnerabilities This slow response is a bug concern especially for those who run Mac OS X Server. If I was running a Mac Server, I would seriously be thinking of switching to Linux or BSD.
Hmm. Maybe it is time for Linux-Mac server ads (like the Mac-PC desktop ads) which poke fun at Apple (at least for their server OS)!
Reply
Tony said 8:21AM on 8-02-2008
It's also a thread for clients - it's just as easy for your local cache to be poisoned as the ISPs one.
The difference is it would only affect one machine rather than thousands, so is less likely to be targeted. I can think of scenarios where someone would do it though.
Roberto said 7:24PM on 8-01-2008
Solution:
sudo echo "" > /etc/resolv.conf
How hard was that?
Reply
Roberto said 7:27PM on 8-01-2008
Actually, that patch is still buggy. Do not try it.
Rubbinz said 7:29PM on 8-01-2008
Last week Comcast was still open and unpatched. Good thing I've been using OpenDNS for the past several years. They were on top of it rather quickly.
Reply
Jeremy said 7:42PM on 8-01-2008
TUAW is really going downhill lately with it's articles. This is a total scare article that implies huge security risks that don't actually exist.
The very small potential vulnerability Apple has possibly left here is a far cry from being "as useless as a bucket of warm spit."
Let's can the hyperbole, and start acting like adults. Unless you want this site to start to appear like Engadget or Gizmodo and generate the same lack of respect those sites engender.
What's next? Porn and swearwords in every article?
Reply
MBSkygazer said 7:47PM on 8-01-2008
If you're running OS Server 10.3.9 then the update for DNS is NOT out yet.
Reply
Greg said 9:31PM on 8-01-2008
I just ran the update mentioned and it trashed dashboard. Dashboard crashes repeatedly now. Anyone else?
Reply
RJHD3 said 1:17AM on 8-02-2008
Apple sucks at security. Film at 11. Anyone who knows crap about Safari knows its filled with vulnerabilities and holes that you could drive a truck through.
Apple willfully ignores them; and eventually they'll get seriously burned by this. But they won't change their behavior until they are forced to do so.
And as long as there's a massive base of people who flame anyone who says differently; the openly-discussed vulnerabilities and willful display of arrogance won't change.
http://www.infoworld.com/article/08/05/16/Apple-dismisses-Safari-download-issue_1.html
Reply
harrywolf said 1:48AM on 8-02-2008
Hyperbole! "drive a truck through"? No, that simply is exaggeration.
There is some serious crap on this site about this whole deal.
According to my info, Apple has patched the server dns issue - so I DONT agree with TUAW.
Little bit of hysteria going on here - calm the f**k down.
This problem has been around for many YEARS, so lets not get hysterical boys and girls.
RJ said 2:07AM on 8-04-2008
Hyberbole?
When Apple makes on-the-record statements that fixing carpet-bombing vulnerability in its product is a "feature enhancement" it's pretty much an on-the-record fact.
How about the fact that vulnerabilities in Safari allow someone to own your computer in 30 seconds:
http://www.builderau.com.au/news/soa/Apple-s-Leopard-hacked-in-30-seconds/0,339028227,339287733,00.htm
Or the fact that Apple is demonstrably laggard in its provisioning of security updates for known vulnerabilities:
http://www.macworld.com/article/132730/2008/03/zero_day_blackhat.html
Apple delivers good products, great user-experiences, and brilliant marketing...but they haven't yet emphasized security in the way other platforms have; and the evidence will continue to mount.
Paul said 9:57PM on 8-02-2008
What is this? Fox News? Dan called you out, the least you could do is post his response at the top of your article, you know, like any responsible journalist would do.
Oh wait. My bad, all the responsible people have left TUAW already..
Reply
Michael Rose said 10:58PM on 8-02-2008
Most likely Dan was referring to Ryan Naraine, SANS or ComputerWorld, not this post (see the multiple links in the post for the sources). Don't think he reads TUAW, but I could be wrong.