Slashdot Mirror
Apple Still Has Not Patched the DNS Hole
Steve Shockley notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."
Waiting for the port.
Are there any statistics on how many Macs are being utilized as DNS servers? Is it more than three? [runs away]
The problem is that they didnt apply the patch to the OS; they applied a patch directly to the Reality Distortion Field, ensuring that this isn't a vulnerability in the first place.
What are you smoking? Apple has always been evil. Extremely litigious and questionable methods.
Wait, what?
This sort of thing is why nobody should be using OS X Server for critical infrastructure. OS X Server is for schools and such that use Macs for everything else, so an Apple server is a natural fit.
It seems like Apple is always dragging their feet on security updates, and that alone should cause a major aversion on the part of anybody thinking of deploying their server software into production.
.. $500 million 'Why Vista is better than Apple because we say so' campaign.
Maybe because he is sick/out of work is why they can't patch it (They fear their boss might yell at them for patching it without his consent...)
OR They are so stubborn that they believe there is and never will be anything wrong with a Mac.
OR They are still testing the patch (highly unlikely since it has little interference with how the server functions...)
Sure, they can get away with a whole lot of stuff since they aren't a monopoly like MS, but, this is just wrong.
Comment removed based on user account deletion
Well, that's what my Mac using friend whose reality is severely distorted told me - "I don't have to worry, I use Mac.". Further arguments were futile after that.
If all you had to do was keep a constant opinion, what would be the freagin point of posting at all? Bunch of zombies that all say the same thing, oh yeah, very constructive (though its ALMOST what it is anyhow).
Whats important is how constructive what you say is and if it adds value to the discussion (and yes, being funny does add value).
The system is broken, but not as much as one would think... Most the moderations I get on pro-Windows post get modded up (and those that get modded down, half of the time its because I was not constructive and only ranting), on such an anti-MS web site... so its not completly hopeless.
I wonder if they use OSX server for their public DNS and how much egg they would have on their face when some script kiddie used Metasploit (http://www.metasploit.com/) to "test" their servers for them.
No targeted exploit indeed. Of course I suspect they pay some actual professionals to manage their DNS, and that these professionals use a proper server OS and have patched the DNS hole. But still, a script in the wild that affectes the security of their servers certainly exists, on a very popular vulnerability assessment tool no less, and should be cause for concern on their part. The fact that it apparently isn't just shows how seriously they take their server business.
Oh, was that my outside voice?
this is related to Apple's OS X Server product, which runs DNS (bind in fact), and many mac businesses do in fact use it, if even as a local DNS cache (which a simple fix now would be to configure their boxes to us opendns).
The bigger issue is this is a pretty big deal on the security front, all of the businesses that apple has to compete with in the server space (especially in the eyes of enterprise IT), have had a fix and a public statement about it out the door. Apple is the big unix vendor missing off the list, and has not even made a public statement as such to inform it's users about the issue. Not exactly the best way to talk about how secure their products are (client and server).
Of course, they still haven't gotten around to fixing the ARDAgent.app vulnerability from a few weeks back either.
apple was never secure. It was just unused. The exact same thing is going ATM with their X server. Not so much a security flaw (though it might be) as much as a major bug. If you send too many events at once (not insane amounts, just a lot) it simply crashed, bringing down all the X apps with it. Upstream was fixed over a year ago, they just refuse to roll out an update. I guess it's an attempt to make debs port to coco/carbon/whatever-it's-called, but for some of us, that's just not an option. More specifically, it's a program developed by part of a university bioinformatics lab, and we just don't have the manpower or the grant support to do it. So we're either stuck with only supporting Linux, trying to find a wrkaround, or just ignoring it and hope it doesn't happen to often. The last option is what we ended up choosing.
Dear valued Apple customer:
We received your message regarding "unpatched Mac OS X Server security hole". We appreciate your business, and we will do everything to address your concerns as soon as possible. Unfortunately, Steve is away from his desk on leave due to health concerns related to his non-lethal pancreatic cancer. He will be happy to fix the problem with "unpatched Mac OS X Server security hole" as soon as he returns to work.
Sincerely,
Apple Customer Service
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
As someone that's cursed to administer an OS X Server machine, I have nothing good to say about Apple in general and OS X Server in particular. Apple's history of patching---or, in this case, not patching---stuff has been lukewarm at best and downright abysmal at worst. The Server 10.5.3 update introduced something that causes ClamAV to crash/reboot a Server machine when mail is turned on (since ClamAV is on by default. Nice one. They've had other stellar examples of their extreme lack of QA for their Server software, such as updating their included PHP to a version that was known to break Squirrelmail (the default webmail that comes with OS X Server), even though a fix had been available for months from the PHP maintainers.
I'm a huge fan of FreeBSD. I have been doing this OS X Server thing for more than two years now. I went in to it with an open mind, hoping that Apple wouldn't screw things up too badly. I was disappointed. The only things I've learned is that their Server QA is awful, they don't actually use their own Server software internally, their customer service is horrible when it comes to their Server stuff and their Server documentation is awful. I could rant about that for several pages. All of this leads me to believe that Apple really doesn't want to do well in the "server" segment of the market...Which is really too bad, cause they've finally got the hardware side of it to the point where there's not much separating them from most other low-end server vendors.
Now, that I've got that all that off my chest, Apple's dropped the ball on the BIND update. This is not surprising. Anyone that's administered OS X Server for any length of time probably feels the same way. It's so bad that I will suppress my OS X experience next time I am in the job market again; I hope to never work with OS X (particularly as a server) again and will do everything in my power to avoid doing so. I'm batting a thousand on persuading people interested in using OS X Server to use anything else...Apple really has to get things together or get out of the "server" market.
I have a DSL broadband subscription with AT&T (it used to be a small local company and they got bought by whatever is now called AT&T).
I noticed that their DNS was unpatched and I used their support forms to report the problem.
The reply came only a few hours later. To quote: "We regret we cannot help you with your WorldNet dialup problem".
Huh?
So their networking department is not patching critical protocol flaws, and they programmed their answerbots to laugh at us users if we attempt to point out said flaws. Since when does Simon the BOFH work for AT&T DSL support?
AT&T network admin? It's a great job if you can get it.
Fantasy: http://ferrisfantasy.blogspot.com/
be CORED???
Cobblered?
Clobbered?
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
There is always one bad Apple (tm) that spoils the whole bunch.
music lover since 1969
Personally, the brazen "stomp everywhere and expect the world to bow to their whims" attitude reminded me of Microsoft in the mid 90s.
Now, complacency with regards to security confirms it: Apple are following Microsoft's path 15 years after them.
It's just a matter of time until geeks wake up and start hating them. Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie. Everyone wanted to be Bill Gates back then, he was the noble knight/geek taking on the world and bringing down empires like IBM and DEC with his accessible to all consumer computers. It was only after Linux came on the scene that geeks turned on him like the fickle fashionistas that they claim they aren't.
Face it, Apple, like Microsoft before the, are just the flavor of the month.
I hate printers.
Given the issues this patch caused with vista, i'm not at all surprised they're putting more thorough testing through on this.
Apple does not want to lose it's "just works" reputation my slaughtering internet connections on its platforms.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
There are many ways to get to a "protected" caching resolver. Users on the trusted network browse the web, send email, IM, etc.; all of those require DNS lookups, and many can be subverted to cause lookups of arbitrary names.
In any case, trying to excuse Apple by saying "not too many are affected" is crap. They shipped software that is now known to have security issues and it should be addressed. They've known there is a problem for almost 3 months and still have not done anything to protect their customers. If this was Microsoft, Sun, Red Hat, etc., people would be ranting about it, but since it is Apple, it must be okay.
Ok, first of all, you're confusing 'hacks' with 'cracks.' People 'hack' hardware, software, etc., on their own personal devices to make them do what they want. So of course people will hack anything, or try to. Everything you listed has indeed been hacked. Cracking, however is a different matter. People 'crack' other people's hardware, software, or devices to make them do what the cracker wants without the owner knowing. The PSP has not been 'cracked.' The iPhone has not been 'cracked.' The Xbox has not been 'cracked.' Macs have been hacked, and cracked, convincingly, as sibling mentions. I agree that security, or lack thereof is not directly proportional to market share. I'm just saying that if market share is small, security is irrelevant. Apple has gotten used to it being irrelevant. On another, slightly off-topic note, it's people like you who give Linux and hackers a bad name. Stop it. On another, slightly more off-topic note, I'm writing this from my new (jailbroken) iPhone, which I am pleased of.
Why patch when you can tell your lawyers to issue cease and desist letters to everybody - starting with that Kaminsky guy
Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.
Fail. I was a vocal opponent of Windows 3.1, calling it the abomination it was. Also, you seem to think there are no geeks hating on Apple now. I'm not sure what blogs/newsgroups/boards you read, but if you can't find plenty of anti-Mac/Apple hate, you must have some pretty good filters.
"We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
PSP was hacked very early. Sod all sales, definitely fewer than Macs.
iPhone was hacked very early. They have fewer users than the Macs.
GP32 (gamepark - a handheld game console) was hacked. Hasn't sold anywhere near what Macs have.
Xbox (original) was hacked very quickly, as was playstation, and even gamecube, and even sega dreamcast.
People will hack anything, just to say they did. Kids brought up on Macs at schools who don't have stupid anti-apple biases will try to hack their school computers. Or maybe even if they do have anti-apple biases.
But nobody has yet been able to hack a Mac convincingly.
Wow, talk about a stupid argument. The common thing with all of those you listed is they were "hacked" so you could load your own software/games onto them. Ignoring the fact you can do that already in OSX, people have been hacking Macs to run Windows/Linux/whatever for years, and this was before Apple made it easy to do so. Similarly, people have been hacking Apple's OS to run on non-Apple hardware for years too. So if that's your definition of "hacking", then there have been "hacks" out there for Macs for decades. Obviously none of this has anything to do at all with network security, so I don't even know why you brought it up.
They got on my bad side way back when they took DRI to court over the look and feel of GEM (Graphic Environment Manager), that is why You have Windows on the IBM type PC today instead of GEM and Bill Gates is a Billionaire!
But recall... this vulnerability is only available to someone who has access to the caching server in the first place...
No!
This attack is simply a flood of false answers to a dns query made by either a client or caching server. They *look* like legit answers that beat the actual answer back. Because the legit answer has to be able to get back to the server, the spoofed ones are able to get there too.
The clients are only vulnerable within their own firewalled network; but a resolving server, even behind a firewall, is vulnerable to the Internet at large.
but if you can't find plenty of anti-Mac/Apple hate, you must have some pretty good filters.
I find plenty of Apple/Mac hate all the time. The problem with the majority of it is that rather than actually disliking the company or the platform for a logical reason, the justification for said hate usually revolves around the assumed sexual preference of said platform's users.
The point being that most* Apple hate I encounter is based off of sheer ignorance, and not raw technical comparison.
*Generally speaking. Slashdot is a notable exception.
Boot Windows, Linux, and ESX over the network for free.
...according to the tech support "engineers" at Apple. I spent about two hours on the phone with them Friday, trying to find out when or IF there would be a patch.
No one I talked to had ever heard of the problem.
Two people told me it was a Windows-only issue, and I shouldn't worry about it.
Neither of the two more helpful people I talked to had ever heard of bind.
One person put me on hold for just under five minutes, then told me he had made an "extensive search through Google" and wasn't able to find any information about a DNS vulnerability in Apple, so I must be mistaken.
One person had heard of bind, and told me that if there was a security problem, it would be fixed in the next security update. I asked when that would be released, and he told me "No one below Steve Jobs can tell you that -- it's proprietary information, and we don't release that sort of information."
So you can all relax -- it's not a problem that affects macs, and if it is, someone will fix it. Eventually. Maybe. But if we told you when it will be fixed, we'd have to sue you.
AN excerpt from my submission log:
2008-07-26 15:40:03 Apple Lags Patching DNS Poisoning Vulnerability (Apple,Security) (rejected)
Seems like I have to improve my karma (or something) to get noticed. Ah well, I'll continue reading, I just won't bother trying to submit.
Enlightenment? It's just a flush in the pan.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Where windows will give you an error code
Heh...
IRQL_NOT_LESS_OR_EQUAL
[blah blah blah]
0xA3466EBC - 0xA3466EBC, 0xA3321EBC, 0x00000142
Sometimes they're helpful ;)
Of course, that is infinitely better than "[Zomg,] We apologize, but you have to reboot your computer," in four languages.
Boot Windows, Linux, and ESX over the network for free.
This is something you can change in the system. If you have the OS X developer tools installed, just run /Developer/Applications/Utilities/CrashReporterPrefs.app, and change the setting from "Basic Mode" to "Developer Mode".
Alternately, you can always look up the reason for the crash in the Console application (/Applications/Utilities/Console.app). Or if you prefer to do it the Unix way, grep through /var/log.
Just because you don't know how to do it, doesn't mean it can't be done :).
Yaz.