Apple Still Has Not Patched the DNS Hole

Steve Shockley notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."

Typical Apple Situation

Waiting for the port.

The patch is undocumented

[commodoresloat]

The problem is that they didnt apply the patch to the OS; they applied a patch directly to the Reality Distortion Field, ensuring that this isn't a vulnerability in the first place.

Mac OS X ...Server?

[sexconker]

Wait, what?

Re:Mac OS X ...Server?

Wow, sounds great, tell me more about the security, i want to use their super-slick interface for my DNS servers.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:t3h horror!

[Annymouse+Cowherd]

I would bet it's about as many as are being used as servers, which is not many.

Re:t3h horror!

I'm not sure. But what I do know is that the patch is going to require a hardware upgrade; Apple would have it no other way.

[runs and hides]

Re:t3h horror!

[JanneM]

Either that, or a $20 charge for "new features"...

Come now, give Apple some credit. This isn't just some run-of-the-mill bug, this is a serious security issue that could cause their customers some serious harm if not fixed.

I'd expect $100 at least; or perhaps they'll introduce the innovative "iLease", with a "lease to own" path for the fixed bug where it's patched permanently on your server after only three years of monthly bug fix rental.

Lawyered up

[markdowling]

Why patch when you can tell your lawyers to issue cease and desist letters to everybody - starting with that Kaminsky guy