Slashdot Mirror
Apple Still Has Not Patched the DNS Hole
Steve Shockley notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."
Waiting for the port.
They've had a while... What's keeping them? Do they WANT Mac OS C Server to suck more than it does already?
Are there any statistics on how many Macs are being utilized as DNS servers? Is it more than three? [runs away]
The problem is that they didnt apply the patch to the OS; they applied a patch directly to the Reality Distortion Field, ensuring that this isn't a vulnerability in the first place.
apple are turning evil http://apple.slashdot.org/article.pl?sid=07/02/09/2036259&from=rss
and
microsoft are coming to the good side lately http://apache.slashdot.org/article.pl?no_d2=1&sid=08/07/25/2135202
use a dedicated dns box that is patched.
The genius coders at Apple probably saw this bug years ago and fixed it then. Of course there is no need for a patch now.
Wait, what?
This sort of thing is why nobody should be using OS X Server for critical infrastructure. OS X Server is for schools and such that use Macs for everything else, so an Apple server is a natural fit.
It seems like Apple is always dragging their feet on security updates, and that alone should cause a major aversion on the part of anybody thinking of deploying their server software into production.
.. $500 million 'Why Vista is better than Apple because we say so' campaign.
At the Angrydome (which I started out of frustration of this and other things Apple related)
The only statements we have been able to get out of apple has been from the bug reporting tool. They have stated that they are working on a fix, but it is causing problems in some instances of their deployments, but don't see it as an emergency because there isn't a targeted exploit against their user base.
They do not need to understand that this is a protocol specific issue, not a code specific issue.
whats this Vista you all speak of?
Steve Jobs was heard murmering something about telekinesis, and how he should be able to patch every individual machine within a week from his iChamber.
After failing the task, a fresh clone was sent in.
Not surprised. Since 11/Jul, diligence, good customer relationships and even common sense seem to have left the company. Guess it's true that cellphones cause cancer: too much iPhone use has fried Jobs' brain...
need to lay off the coffee right now.
Maybe because he is sick/out of work is why they can't patch it (They fear their boss might yell at them for patching it without his consent...)
OR They are so stubborn that they believe there is and never will be anything wrong with a Mac.
OR They are still testing the patch (highly unlikely since it has little interference with how the server functions...)
Sure, they can get away with a whole lot of stuff since they aren't a monopoly like MS, but, this is just wrong.
Comment removed based on user account deletion
Well, that's what my Mac using friend whose reality is severely distorted told me - "I don't have to worry, I use Mac.". Further arguments were futile after that.
I think this article we hate Apple because they missed a release date on a patch that /. considers critical, even if the rest of the world doesn't.
If all you had to do was keep a constant opinion, what would be the freagin point of posting at all? Bunch of zombies that all say the same thing, oh yeah, very constructive (though its ALMOST what it is anyhow).
Whats important is how constructive what you say is and if it adds value to the discussion (and yes, being funny does add value).
The system is broken, but not as much as one would think... Most the moderations I get on pro-Windows post get modded up (and those that get modded down, half of the time its because I was not constructive and only ranting), on such an anti-MS web site... so its not completly hopeless.
apple was never secure. It was just unused. The exact same thing is going ATM with their X server. Not so much a security flaw (though it might be) as much as a major bug. If you send too many events at once (not insane amounts, just a lot) it simply crashed, bringing down all the X apps with it. Upstream was fixed over a year ago, they just refuse to roll out an update. I guess it's an attempt to make debs port to coco/carbon/whatever-it's-called, but for some of us, that's just not an option. More specifically, it's a program developed by part of a university bioinformatics lab, and we just don't have the manpower or the grant support to do it. So we're either stuck with only supporting Linux, trying to find a wrkaround, or just ignoring it and hope it doesn't happen to often. The last option is what we ended up choosing.
when asked by the Apple community why Apple still has not issued a patch for the well known recently discovered DNS exploit, Jobs replied "we actually have OS X Server users?"
Dear valued Apple customer:
We received your message regarding "unpatched Mac OS X Server security hole". We appreciate your business, and we will do everything to address your concerns as soon as possible. Unfortunately, Steve is away from his desk on leave due to health concerns related to his non-lethal pancreatic cancer. He will be happy to fix the problem with "unpatched Mac OS X Server security hole" as soon as he returns to work.
Sincerely,
Apple Customer Service
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
As someone that's cursed to administer an OS X Server machine, I have nothing good to say about Apple in general and OS X Server in particular. Apple's history of patching---or, in this case, not patching---stuff has been lukewarm at best and downright abysmal at worst. The Server 10.5.3 update introduced something that causes ClamAV to crash/reboot a Server machine when mail is turned on (since ClamAV is on by default. Nice one. They've had other stellar examples of their extreme lack of QA for their Server software, such as updating their included PHP to a version that was known to break Squirrelmail (the default webmail that comes with OS X Server), even though a fix had been available for months from the PHP maintainers.
I'm a huge fan of FreeBSD. I have been doing this OS X Server thing for more than two years now. I went in to it with an open mind, hoping that Apple wouldn't screw things up too badly. I was disappointed. The only things I've learned is that their Server QA is awful, they don't actually use their own Server software internally, their customer service is horrible when it comes to their Server stuff and their Server documentation is awful. I could rant about that for several pages. All of this leads me to believe that Apple really doesn't want to do well in the "server" segment of the market...Which is really too bad, cause they've finally got the hardware side of it to the point where there's not much separating them from most other low-end server vendors.
Now, that I've got that all that off my chest, Apple's dropped the ball on the BIND update. This is not surprising. Anyone that's administered OS X Server for any length of time probably feels the same way. It's so bad that I will suppress my OS X experience next time I am in the job market again; I hope to never work with OS X (particularly as a server) again and will do everything in my power to avoid doing so. I'm batting a thousand on persuading people interested in using OS X Server to use anything else...Apple really has to get things together or get out of the "server" market.
Perfect headline-skewing opportunity..."Apple still has not patched the Goatse hole."
I have a DSL broadband subscription with AT&T (it used to be a small local company and they got bought by whatever is now called AT&T).
I noticed that their DNS was unpatched and I used their support forms to report the problem.
The reply came only a few hours later. To quote: "We regret we cannot help you with your WorldNet dialup problem".
Huh?
So their networking department is not patching critical protocol flaws, and they programmed their answerbots to laugh at us users if we attempt to point out said flaws. Since when does Simon the BOFH work for AT&T DSL support?
AT&T network admin? It's a great job if you can get it.
Fantasy: http://ferrisfantasy.blogspot.com/
Is the keyboard and mouse preferences panel in the system preferences not enough?
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Or maybe you kids should browse at +1. Won't someone think of the children?
If you're more worried about how you get moderated and what the results are than about saying what you really think, you're worried about the wrong thing.
Moderation is a gimmick to get people to come talk here. I sometimes succumb to the temptation to check how I've been moderated, too. But the only way I (think I) am letting moderation affect my posts is to motivate me to write clear, succinct, logical posts. And you can see that I don't let moderation motivate me very much. :|-
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
be CORED???
Cobblered?
Clobbered?
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
There is always one bad Apple (tm) that spoils the whole bunch.
music lover since 1969
I hit the karma cap years ago - seriously, who cares?
What is the karma cap?
(Posted anon because I modded GP "+1 Insightful." Just doing my bit to add to the schitzophrenia.)
http://xquartz.macosforge.org/trac/wiki/Releases
They're waiting for xorg to stop sucking.
I had trouble with the Leopard X server, but being that the OS was new (10.5.2 at the time) I went around IRC asking and found that others were downgrading their x servers to a more stable previous version (of xquartz & X11). So that's what I did. Still buggy, but crashes occur far less often.
FYI When stability is critical with Mac OS, gotta stay with the 10.x.9,10,11 and wait for the 10.x.3 to grow up to those numbers before upgrading. If machines came preinstalled, gotta bite the bullet and go back and install what's stable.
The Admin and the Engineer
Given the issues this patch caused with vista, i'm not at all surprised they're putting more thorough testing through on this.
Apple does not want to lose it's "just works" reputation my slaughtering internet connections on its platforms.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Never mind. My question was answered in the FAQ. I'll just content myself with adding to the mis-spellinks.
But nobody has yet been able to hack a Mac convincingly.
Think with your head, not with your bias. Security (or lack thereof) is not directly proportional to market share.
wow I can't believe there are still people out there as totally clueless as yourself. how about you do a little bit of research and you can find yourself some nice hacks for MAc's or you could download the latest explout kits that target this vulnerability and go to town on OS X servers out there.
eg here is an old article from a few years ago which came at the top of my search
http://www.zdnet.com.au/news/security/soa/Mac-OS-X-hacked-under-30-minutes/0,130061744,139241748,00.htm
come out from under your rock and join the real world, OS X has some very real security issues, over 200 vulnerabilities in the last 12 months combined with slow patching and poor handling of real world issues.
You see? It starts...
Ok, first of all, you're confusing 'hacks' with 'cracks.' People 'hack' hardware, software, etc., on their own personal devices to make them do what they want. So of course people will hack anything, or try to. Everything you listed has indeed been hacked. Cracking, however is a different matter. People 'crack' other people's hardware, software, or devices to make them do what the cracker wants without the owner knowing. The PSP has not been 'cracked.' The iPhone has not been 'cracked.' The Xbox has not been 'cracked.' Macs have been hacked, and cracked, convincingly, as sibling mentions. I agree that security, or lack thereof is not directly proportional to market share. I'm just saying that if market share is small, security is irrelevant. Apple has gotten used to it being irrelevant. On another, slightly off-topic note, it's people like you who give Linux and hackers a bad name. Stop it. On another, slightly more off-topic note, I'm writing this from my new (jailbroken) iPhone, which I am pleased of.
And do you believe in God, Santa, and the Tooth Fairy too?
no but obviously you do!
PSP was hacked very early. Sod all sales, definitely fewer than Macs.
iPhone was hacked very early. They have fewer users than the Macs.
GP32 (gamepark - a handheld game console) was hacked. Hasn't sold anywhere near what Macs have.
Xbox (original) was hacked very quickly, as was playstation, and even gamecube, and even sega dreamcast.
Gee I wonder if all these were targetted for a very specific reason, like wanting to play copied/priated games.
If I leave my front door unlocked and no body walks through it I don't automatically assume it is secure and safe pratise to do so, It would be nice to live in the world you seem to live in where tooth fairy is real and where security is defined as how many times you have been attacked.
And went to the source, and clicked the little "test my DNS" button, and it says my OS X is OKAY.
Are they sure Apple ain't patched it? Or is their little button broken? Or did they test it on an outdated OS X?
Why patch when you can tell your lawyers to issue cease and desist letters to everybody - starting with that Kaminsky guy
PSP was hacked very early. Sod all sales, definitely fewer than Macs.
iPhone was hacked very early. They have fewer users than the Macs.
GP32 (gamepark - a handheld game console) was hacked. Hasn't sold anywhere near what Macs have.
Xbox (original) was hacked very quickly, as was playstation, and even gamecube, and even sega dreamcast.
People will hack anything, just to say they did. Kids brought up on Macs at schools who don't have stupid anti-apple biases will try to hack their school computers. Or maybe even if they do have anti-apple biases.
But nobody has yet been able to hack a Mac convincingly.
Wow, talk about a stupid argument. The common thing with all of those you listed is they were "hacked" so you could load your own software/games onto them. Ignoring the fact you can do that already in OSX, people have been hacking Macs to run Windows/Linux/whatever for years, and this was before Apple made it easy to do so. Similarly, people have been hacking Apple's OS to run on non-Apple hardware for years too. So if that's your definition of "hacking", then there have been "hacks" out there for Macs for decades. Obviously none of this has anything to do at all with network security, so I don't even know why you brought it up.
As a fellow Xserve admin, I have to agree with every gripe you've got up about OS X Server. For anyone who thinks otherwise, an Xserve with Samba and AFP is NOT a simple drop-in replacement for a Windows file server with AFP. I have nothing personal to add because the parent said it plain as day.
Hi I'm a Mac DNS server, and Windows Vista is way more secure than OSX.
*dives for cover*
Not being entirely happy with the DNS in Leopard Server, I run several DNS servers on the side that have been patched. What I run on the Apple Server are the Apple specific server apps. There was no particular reason to keep the DNS there.
Mac OS X Server has a server based podcast utility that generates all your desired derivative versions of podcasts for various resolutions. You use a simple video capture client on your desktop or notebook and the video is uploaded to the server where a workflow is applied to it and a lot of stuff is done by one or more distributed machines. A very nice solution if you have more than pone podcast to do or want to support more than one resolution.
I'm sure that's very easy to do, but is there really that much of a demand for the distributed rendering of podcasts? Are most of the killer features av related? That would make some sense.
Well.. maybe. Or Maybe not. But Definitely not sort of.
I do Mac development here and I am messing around with podcast production. This just happens to be the first feature I came across that was a really nice touch. Multimedia mastering is big these days, and reducing drudgery is a noble goal. I am sure I will discover other fine features as I go forward, but I was impressed with that one.
A story about an alternative lifestyle offends you to the point where you want to ban anonymous speech because you claim your children might read it, but you don't have a problem with your children readign a post in which you anonymously direct violent, vulgar, and abusive language at an anonymous poster on slashdot.
apple was never secure. It was just unused.
Au contraire - classic Mac OS was vastly more secure than most Linux distributions at the time, at least from external attacks. Classic Mac OS was never secure from local users with physical access to the box, and of course there have been security holes here and there. However, when RedHat was shipping with dozens of ports open and who knows what daemons listening on them, Mac OS had zero ports open, out of the box. Large web sites like www.army.mil running on Mac OS were certainly the exception rather than the rule, but that's not the only reason Macs enjoyed better network security than much of their competition.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
What I don't understand is, why don't they release security fixes.
I think they use bind, there are atleast some patched out (although they are slower than the original bind).
This also happends with a lot of other parts of the system. There is a patch out there but Apple doesn't apply and release it.
I don't know their policy, but this is a really odd way of doing things.
New things are always on the horizon
If only the packages are signed, then an impostor update server could use Apple's older update packages to introduce old security holes into target systems.
The OS should use either SSL connections or signed manifests to avoid this problem.
On Macs at school reboot to single user then mount -uaw / next rm /var/db/.applesetupdone the power it off and wait for the next poor noob to turn it on and be confused and not want to fill out that registration form. It's Funny.
Go read the Xserver mailing list archives
http://lists.apple.com/archives/Macos-x-server/2008/Jul/thrd5.html
Concerning the issue under discussion for a deeper
insight into how the Xserver community thinks.
Still not patched yet still not hacked (YMMV).
GP32 (gamepark - a handheld game console) was hacked.
lol what? The GP32 and its successor, the GP2X, are designed to run homebrew, emulators etc with 100% raw hardware access out of the box. That's pretty much the entire point of them, given the scarcity of commercial titles.
...according to the tech support "engineers" at Apple. I spent about two hours on the phone with them Friday, trying to find out when or IF there would be a patch.
No one I talked to had ever heard of the problem.
Two people told me it was a Windows-only issue, and I shouldn't worry about it.
Neither of the two more helpful people I talked to had ever heard of bind.
One person put me on hold for just under five minutes, then told me he had made an "extensive search through Google" and wasn't able to find any information about a DNS vulnerability in Apple, so I must be mistaken.
One person had heard of bind, and told me that if there was a security problem, it would be fixed in the next security update. I asked when that would be released, and he told me "No one below Steve Jobs can tell you that -- it's proprietary information, and we don't release that sort of information."
So you can all relax -- it's not a problem that affects macs, and if it is, someone will fix it. Eventually. Maybe. But if we told you when it will be fixed, we'd have to sue you.
Modded -1 for the best retort to a stupid claim (security through obscurity)!!!! What the hell is going on here today? By the way, said "stupid anti-mac bias" would ENCOURAGE hacking Macs more than normal. Funny how that doesn't work out though.
What I don't understand is, why don't they release security fixes.
Short answer: they do, just not as fast as the tin-foil hat crowd would like. Read up on project management and risk assessment. You'll find that security isn't always (nor does it need to be) the number one priority in a business model, regardless of what slashdot group-think tells you.
It's "supposed", not "suppose".
I supposed you are right.
I had forgotten Apple even sold a server. Unfortunately, so did they.
Mod AC up as informative please.
I heard that Microsoft has erm... (thinking..) Mojave
Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.
Well I disliked Microsoft ever since Dos 3.1 (and had no contact with M$ products before). In fact I used DR-Dos if at all possible. M$ products always where something I only used if I where paid for or absolutely had to.
Of course I am not quite sure when my dislike turned into outright hate - but it must have been around the time when M$ betrayed IBM over OS/2.
They're still busy developing a patch for the ARDAgent root exploit.
It's just bind, why not just build a replacement yourself?
(or use macports, which had the patched bind available the day ISC released the patch).
AN excerpt from my submission log:
2008-07-26 15:40:03 Apple Lags Patching DNS Poisoning Vulnerability (Apple,Security) (rejected)
Seems like I have to improve my karma (or something) to get noticed. Ah well, I'll continue reading, I just won't bother trying to submit.
Enlightenment? It's just a flush in the pan.
If I leave my front door unlocked and no body walks through it I don't automatically assume it is secure and safe pratise to do so
If I did it for decades and nobody walked through, I might assume it is safe.
I hardly think today's Apple is "following Microsoft's path 15 years later"?
Apple puts out quite a few security updates, as far as I can see. My OS X software updates has offered me several of them consistently, every month or so.
The fact is though, market share of Apple Macs running OS X is still well under 10% -- and unlike Microsoft, I don't think Apple as a company is that concerned about it either.
Steve Jobs has said repeatedly that he doesn't aim to be dominant in sales, like Microsoft. He's more comfortable having a company catering to consumers and small business customers, willing to pay a premium for a perceived "higher end" computing experience.
If Apple's business model was anything like Microsoft's - they'd be slashing prices on iMacs and Mac Minis, making sure $200-400 price point systems were out there in every single Wal-Mart and OfficeMax store, and would probably have sold OS X on store shelves for ANY generic PC by now too.
This also means Apple has the luxury of not having to stop what they're doing and immediately jump on patching every new security flaw that comes along. Only big corporate/govt. users are the ones truly paranoid and insistent on this stuff being fixed NOW. Most consumer and small office users don't even READ about such flaws, much less make their purchasing decisions based on how quickly the manufacturer addresses the flaws.
beneath the shiny exterior, apple has always sucked tremendously from a technical and user centric focus, prefering to dedicate R & D to appealing to metrosexuals who are more interested in status than functionality.
Apple doesn't have bugs or need patches...or don't you watch tv, read magazines, podcast.......
Only MS os's have to worry about such things the rest of us are as sound as a pound.
issues with cache poisoning can be dramatically reduced in risk by limiting requests for recursion to hosts within your own network.
I would generally expect it to be pretty easy to induce network members into doing DNS lookups. Some examples:
* Send spoofed email messages with hyperlinks to a web page you control to users inside your network. Use follow-on links or JavaScript on that web page to manipulate the user's web browser's to requesting the DNS names you want.
* Connect to a mail server that does lookups on the HELO or MAIL FROM domains (most of them, these days).
From there, it's a short trip to explotvile.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
It is a feature.
For waht I understand of the pb, you shouldn't have any problem even if your DNS is not patched, unless you use recursion.
So basically, don't use recursion, right? And since you really don't need recursion, waht's the pb ? Misconfigured DNS?
Given the issues this patch caused with vista, i'm not at all surprised they're putting more thorough testing through on this.
The issue wasn't with Windows, it was with ZoneAlarm (which is not a Microsoft product). And Vista wasn't even effected, only 2000/XP, according to the ZA website:
http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
Specifically, the ZoneAlarm firewall component assumed that DNS queries would always come from a single port. The fix for this DNS vulnerability is to intentionally randomize query source ports. ZoneAlarm simply assumed that DNS queries would only ever come from a single port, and fell apart. From an intrusion-detection standpoint, I could see that change in behavior raising some flags, but apparently ZoneAlarm's initial response was that the patch was defective, which suggests they simply didn't know what was going on.
Does Apple routinely test their OS security updates to make sure they don't break poorly-written third-party software? (I honestly have no idea; I'm not a Mac user.)
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
so a jailbroken iPhone is not cracked? enabling users to do what the manufacturer doesn't want you to do?
and the PSP hasn't been cracked to enable people to run pirated games and homebrew software, against the wishes of the manufacturer?
The Xbox has been cracked to allow modchips to run.
it's people like you who give Linux and hackers a bad name.
no, it's people like you who are doing that. I'm a Linux user. Most of my computers at home run Linux, and I am a Linux sysadmin by day, so don't presume I'm anti-Linux. I'm just anti-stupidity.
The reason girls and Windows users don't understand UNIX is because all the documentation is in Man files.
My definition of hack is making it do what it was not intended to do. Which in this instance is broad enough to cover hacking an operating system to make it do what it wasn't supposed to: ie; run malicious software.
The reason girls and Windows users don't understand UNIX is because all the documentation is in Man files.
but too many people scream "ooo.. apple... dirty" and won't touch them. then they go on to make stupid claims without taking the time to ever actually find out for themselves.
I'm a strong proponent of thinking for myself. If somebody says something, I'm more likely to prove it than take their word for it. Unless they say something like "stabbing yourself with this sharp pointy thing in the eyeball will lead to great inconvenience." Then I'll probably concede the point to them.
The reason girls and Windows users don't understand UNIX is because all the documentation is in Man files.
Please stop it.
"apple was never secure. It was just unused."
OSX is far more secure then Windows, always has been.
The Kruger Dunning explains most post on
They are a company that cares more about cutesy looks rather resonably priced products, popping out stupid adverts and suing people who have the emerity to make mention of their products before Crapple can have yet another overblowen posefest launch than that do about fixing as soon as issues are found . Once again the problems of a monopolistic structure rather than the more effective and efficient OSS model is showing it's flaws, to the detriment of the customers of that monopolistic monolith.
like who uses OSX server anyway? I've seen scads of macbooks, but OSX servers...? c'mon. I just tested a macbook and it came up just fine on doxpara's test.
he did it to annoy dorks like you and , obviously, it worked.
But macs are great hardware....for running Linux ;o)
Debian FTW
Comment removed based on user account deletion
Security Update 2008-005
* Open Scripting Architecture (ARDAgent etc...)
* BIND
* CarbonCore
* CoreGraphics (2)
* Data Detectors Engine
* Disk Utility
* OpenLDAP
* OpenSSL
* PHP
* QuickLook
* rsync