Apple Still Has Not Patched the DNS Hole

Steve Shockley notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."

Re:in case you didnt get the memo

What are you smoking? Apple has always been evil. Extremely litigious and questionable methods.

OS X Server not for critical infrastructure

This sort of thing is why nobody should be using OS X Server for critical infrastructure. OS X Server is for schools and such that use Macs for everything else, so an Apple server is a natural fit.

It seems like Apple is always dragging their feet on security updates, and that alone should cause a major aversion on the part of anybody thinking of deploying their server software into production.

Steve Jobs?

[st33med]

Maybe because he is sick/out of work is why they can't patch it (They fear their boss might yell at them for patching it without his consent...)

OR They are so stubborn that they believe there is and never will be anything wrong with a Mac.

OR They are still testing the patch (highly unlikely since it has little interference with how the server functions...)

Sure, they can get away with a whole lot of stuff since they aren't a monopoly like MS, but, this is just wrong.

Right on

Well, that's what my Mac using friend whose reality is severely distorted told me - "I don't have to worry, I use Mac.". Further arguments were futile after that.

Re:Right on

[LostCluster]

Recapping our top story for those just joining us... there's a flaw in most common DNS esolving servers.

So it doesn't matter what desktop software you're running, it's what the machine that answers to the DNS server named in your IP config.

If you're using a Mac and your ISP is fixed, you're most likely fine. If your ISP isn't fixed, well, there's your problem.

Re:Hey, I just wrote about this

[Ifni]

I wonder if they use OSX server for their public DNS and how much egg they would have on their face when some script kiddie used Metasploit (http://www.metasploit.com/) to "test" their servers for them.

No targeted exploit indeed. Of course I suspect they pay some actual professionals to manage their DNS, and that these professionals use a proper server OS and have patched the DNS hole. But still, a script in the wild that affectes the security of their servers certainly exists, on a very popular vulnerability assessment tool no less, and should be cause for concern on their part. The fact that it apparently isn't just shows how seriously they take their server business.

Re:Hey, I just wrote about this

[Pfhor]

this is related to Apple's OS X Server product, which runs DNS (bind in fact), and many mac businesses do in fact use it, if even as a local DNS cache (which a simple fix now would be to configure their boxes to us opendns).

The bigger issue is this is a pretty big deal on the security front, all of the businesses that apple has to compete with in the server space (especially in the eyes of enterprise IT), have had a fix and a public statement about it out the door. Apple is the big unix vendor missing off the list, and has not even made a public statement as such to inform it's users about the issue. Not exactly the best way to talk about how secure their products are (client and server).

Of course, they still haven't gotten around to fixing the ARDAgent.app vulnerability from a few weeks back either.

Re:in case you didnt get the memo

[argent]

Apple is a corporation. You don't call corporations (whether they be Google, Microsoft, Apple, or IBM) good or evil, you just look at what they're actually doing.

So, let's look at what Apple and Microsoft are actually doing:

iPod/iPhone vs Zune/XBox: iTunes has weak DRM, Windows Media Player has strong DRM with kernel support that's getting stronger in Vista (trusted media path and tilt switches). None of their consumer entertainment products are open, but it's a lot cheaper and easier to get into software development for the iPhone than the XBox.

Open source: Microsoft uses GPLed software in Interix, and used OpenBSD extensively. They haven't released their versions of any of the BSD-licensed components they used in Interix (or Windows), but they do have a copy of their GCC source in the Interix tree. They have *recently* decided to accept the LGPL, but there's no GPLed software in Windows proper. Apple uses GPLed software in Darwin, and used FreeBSD extensively. They have released the open source code in Darwin and kept releasing it with every new release of OS X. They have added their own open source components, to the point where the majority of the traditional userland in OS X, as well as many major new components like launchd, are open source. Microsoft's open source poster boys are things like Windows installers.

This is like claiming that Gandalf's "turning evil" because he's wearing a grey robe, while cheering on Sauron for having the Nazgul stop off to pick up litter on the way back from scouring the Shire.

Re:t3h horror!

[McGiraf]

Anecdotal evidence is enough to prove that a least one OS X Server is used.

Re:Apple + patches == ohnoes

[Pfhor]

I understand your pain. On the plus side, if you are a python / ruby developer, you have some things to look forward too, as a lot of apple's own components are being written in them, so those installs actually work most of the time. The perl one, not so much.

Of course, the biggest limitation to their serious server implementation is that there is not apple provided forum for users to be able to discuss their issues with beta release software. Let alone a publicly searchable bug tracker (right now we search by submitting bugs and waiting to see how long until the ticket is closed as either "by design" "we will get on it" or "duplicate"). So why should I bother to actually install a beta build of apples stuff to test, I can't really give any feedback, and there isn't any documentation out there floating around on how AD binding works in 10.5 vs 10.4. Which is a great example, apple's implementation of 10.5's ad plugin did not take into account that there could be multiple servers available, and that the first record returned for the ldap service may not be the same server as what was returned for the KDC. Why? probably because they only tested this with a single windows server in their test lab. So their engineers never even thought this was a problem. Of course, if we could test such things in beta, and they could see a group of folks bitching on the forums (all under NDA) about it, then they could probably even post a hot patch to the people with the issues and get faster feedback as a communication between the engineers and the people who are actually USING their code.

Re:Is it really so hard?

[MrNaz]

Personally, the brazen "stomp everywhere and expect the world to bow to their whims" attitude reminded me of Microsoft in the mid 90s.

Now, complacency with regards to security confirms it: Apple are following Microsoft's path 15 years after them.

It's just a matter of time until geeks wake up and start hating them. Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie. Everyone wanted to be Bill Gates back then, he was the noble knight/geek taking on the world and bringing down empires like IBM and DEC with his accessible to all consumer computers. It was only after Linux came on the scene that geeks turned on him like the fickle fashionistas that they claim they aren't.

Face it, Apple, like Microsoft before the, are just the flavor of the month.

Re:Hey, I just wrote about this

[Burdell]

There are many ways to get to a "protected" caching resolver. Users on the trusted network browse the web, send email, IM, etc.; all of those require DNS lookups, and many can be subverted to cause lookups of arbitrary names.

In any case, trying to excuse Apple by saying "not too many are affected" is crap. They shipped software that is now known to have security issues and it should be addressed. They've known there is a problem for almost 3 months and still have not done anything to protect their customers. If this was Microsoft, Sun, Red Hat, etc., people would be ranting about it, but since it is Apple, it must be okay.

Re:Apple meet real world

[sxeraverx]

Ok, first of all, you're confusing 'hacks' with 'cracks.' People 'hack' hardware, software, etc., on their own personal devices to make them do what they want. So of course people will hack anything, or try to. Everything you listed has indeed been hacked. Cracking, however is a different matter. People 'crack' other people's hardware, software, or devices to make them do what the cracker wants without the owner knowing. The PSP has not been 'cracked.' The iPhone has not been 'cracked.' The Xbox has not been 'cracked.' Macs have been hacked, and cracked, convincingly, as sibling mentions. I agree that security, or lack thereof is not directly proportional to market share. I'm just saying that if market share is small, security is irrelevant. Apple has gotten used to it being irrelevant. On another, slightly off-topic note, it's people like you who give Linux and hackers a bad name. Stop it. On another, slightly more off-topic note, I'm writing this from my new (jailbroken) iPhone, which I am pleased of.

Re:Is it really so hard?

[ktappe]

Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.

Fail. I was a vocal opponent of Windows 3.1, calling it the abomination it was. Also, you seem to think there are no geeks hating on Apple now. I'm not sure what blogs/newsgroups/boards you read, but if you can't find plenty of anti-Mac/Apple hate, you must have some pretty good filters.

Re:Apple meet real world

[toddestan]

PSP was hacked very early. Sod all sales, definitely fewer than Macs.
iPhone was hacked very early. They have fewer users than the Macs.
GP32 (gamepark - a handheld game console) was hacked. Hasn't sold anywhere near what Macs have.
Xbox (original) was hacked very quickly, as was playstation, and even gamecube, and even sega dreamcast.

People will hack anything, just to say they did. Kids brought up on Macs at schools who don't have stupid anti-apple biases will try to hack their school computers. Or maybe even if they do have anti-apple biases.

But nobody has yet been able to hack a Mac convincingly.

Wow, talk about a stupid argument. The common thing with all of those you listed is they were "hacked" so you could load your own software/games onto them. Ignoring the fact you can do that already in OSX, people have been hacking Macs to run Windows/Linux/whatever for years, and this was before Apple made it easy to do so. Similarly, people have been hacking Apple's OS to run on non-Apple hardware for years too. So if that's your definition of "hacking", then there have been "hacks" out there for Macs for decades. Obviously none of this has anything to do at all with network security, so I don't even know why you brought it up.

Re:Mac OS X ...Server?

[Whiney+Mac+Fanboy]

its 500 dollars for a unlimited license,

Uhhh? unlimited license? For $500, Apple gives you a 10-client license?

and does a hell of a lot more than throw a few OSS solutions into the box.

OSS solutions:

* Scale up onto hardware Apple can only dream about (talk to Sun or IBM for more info)

* Fit into your existing vmware infrastructure.

* Don't impose bullshit per-client licensing restrictions.

* Don't leave you with a coating of vendor lock-in slime.

Sure, if you're a complete Apple shop (hah!), then OS X server is probably a good fit for you, but in the real world, its mixed clients (or at least looking in that direction).

If your going to comment it helps if you have half a clue what your talking about.

Well - at least we agree on this....

Re:Is it really so hard?

[RulerOf]

but if you can't find plenty of anti-Mac/Apple hate, you must have some pretty good filters.

I find plenty of Apple/Mac hate all the time. The problem with the majority of it is that rather than actually disliking the company or the platform for a logical reason, the justification for said hate usually revolves around the assumed sexual preference of said platform's users.

The point being that most* Apple hate I encounter is based off of sheer ignorance, and not raw technical comparison.

*Generally speaking. Slashdot is a notable exception.

Re:The patch is undocumented

[OriginalArlen]

Funny you should say that. Someone just released exploit code that, when used with the DNS cache-poisoning attack, allows the attacker to masquerade as the Apple OS update site and supply arbitrary binaries that the victim machine will happily download and install. That's right, in 2008 MacOS doesn't use SSL to authenticate the OS update server. The words "un fucking believable" spring to mind.