Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Patches Kaminsky DNS Vulnerability

Posted by kdawson on from the cache-me-if-you-can dept.

Alexander Burke writes "Apple has just released Security Update 2008-005, which patches BIND against the Kaminsky DNS poisoning issue. 'This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1.' It also closes the script-based local privilege escalation vulnerabilities, the most common examples of which were ARDAgent and SecurityAgent, and addresses other less-publicized security issues as well." A few days back we noted Apple's tardiness in fixing their corner of this Net-wide issue.

31 of 89 comments (clear)

  1. Good job apple by Erie+Ed · · Score: 3, Funny

    for a moment there I was worried about what could happen, but then it hit me nothing important runs on apple servers...

    1. Re:Good job apple by Anonymous Coward · · Score: 2, Funny

      Tons of video artists and mountain climbers publish on Apple servers.

    2. Re:Good job apple by Kamokazi · · Score: 3, Funny

      Right, just like he said, nothing important is hosted on Apple servers.

      (Side note: Mountain climbers???)

      --
      As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
    3. Re:Good job apple by MacColossus · · Score: 5, Informative

      Quicktime streaming server, podcast producer, Fortune 500 companies with Macs needing a decent AFP stack and Workgroup Manager to control client side privileges on Mac workstations. Another reason might be a desire not to be financially sodomized by Microsoft on CAL's but the admin has a fear of Linux due to inexperience. (Not every GUI junkie has seen Webmin, KDE, Ubuntu desktop and such). A couple of good Mac Server/Administration sites are www.afp548.com and www.macenterprise.org. Hope this has been educational.

    4. Re:Good job apple by MightyYar · · Score: 5, Funny

      I don't think "tons" will get you very far when it comes to statistics.

      I don't know... have you ever priced out a ton of artists? Those things are really skinny and you really get your money's worth.

      The biggest rip-off is a ton of IT guys. You get like 1, maybe 1-1/2 in the whole damned load.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    5. Re:Good job apple by catwh0re · · Score: 3, Insightful

      other than that silly largest music retailer in the usa thing they've been toying with for a while.

  2. They might have been slow... by PsyQo · · Score: 5, Funny

    They might have been slow with this patch, but boy does it look good!

    1. Re:They might have been slow... by maxume · · Score: 4, Interesting

      They were notified in January.

      --
      Nerd rage is the funniest rage.
    2. Re:They might have been slow... by 4D6963 · · Score: 4, Funny

      They might have been slow with this patch, but boy does it look good!

      No OS X 10.3 version. Less secure than the PF workaround. Lame.

      --
      You just got troll'd!
    3. Re:They might have been slow... by 4D6963 · · Score: 2, Informative

      No 10.3 version? Cry me a river. Are you going to complain about the lack of Windows 98 version as well?

      Whooosh?

      --
      You just got troll'd!
    4. Re:They might have been slow... by Kamokazi · · Score: 2, Interesting

      To be fair, 10.3 was released in 2003. Windows 98 was released in....1998. A little bit of a difference there.

      Basically, you are forced to pay to get a security update that older OSes, even Microsoft ones are recieving for free (as they should). I'd be really pissed if MS forced us to pay to upgrade our Win2k3 domain controller for the update. You could have bought an Xserve in 2005 with 10.3, and not be able to get this update without upgrading your entire OS. Only 3-year support on a server? That's ludicrious. Anyone remotely considering Apple for their enterprise hardware will probably immediately disregard them after this.

      --
      As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
    5. Re:They might have been slow... by Anonymous Coward · · Score: 2, Informative

      ...and the BIND patch wasn't available from their upstream source until June based on the dates I see. Slow turn around on Apples part given June availability but it looks like it was in the queue behind a few other security fixes that are actually of more importance to your average Mac OS X user (very few run named and few still in a configuration that would be vulnerable).

      Note folks running named could have updated BIND on their own (installed an alternate version until Apple release this software update).

    6. Re:They might have been slow... by Phroggy · · Score: 2, Informative

      (very few run named and few still in a configuration that would be vulnerable).

      Most Mac OS X client users do not run named, but they do use the system's stub resolver, which I believe is linked to BIND and does not randomize source ports when querying your local DNS server. This means someone could spoof replies from your DNS server in response to queries coming from your Mac. This is MUCH less of a problem than a vulnerable DNS server, because it requires a very localized attack, but it's still an issue.

      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  3. Ahhhhhh by segedunum · · Score: 4, Funny

    The Slashdot effect that can make Apple actually patch something.

  4. The clients still vulnerable ?? by Anonymous Coward · · Score: 3, Informative

    ISC seems to think so : http://isc.sans.org/diary.html?storyid=4810

    Anybody care to test it for real using both an apple server and laptop, using dnsoarc, to get some real info?

    1. Re:The clients still vulnerable ?? by BuhDuh · · Score: 5, Informative

      Anybody care to test it for real using both an apple server and laptop, using dnsoarc, to get some real info?

      Done! See Swa Frantzen's update at the isc Seems like they may have patched the server code, but the client is still using sequentially incrementing ports.

      --
      Enlightenment? It's just a flush in the pan.
  5. No patch for OS X 10.3 ? by Katchina'404 · · Score: 4, Interesting

    As much as I love Apple, it bothers me that they do not release security patches for versions earlier than n-1 (where n is the current release).

    Mac OS X 10.3 server dates back to October 2003 (http://www.apple.com/pr/library/2003/oct/08pantherserver.html), so it's just short of 5 years. It's not THAT old, especially for a server products that's likely to be used in some SMEs.

    Or is 10.3 not affected ?

    --
    Ceci n'est pas une signature
    1. Re:No patch for OS X 10.3 ? by Macthorpe · · Score: 2, Insightful

      Well, Microsoft, a company famed around here for 'planned obsolescence', managed to patch both XP and 2000. You'll note that both of those are more than 7 years old.

      --
      "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
    2. Re:No patch for OS X 10.3 ? by MobyDisk · · Score: 2, Insightful

      I really am surprised that they patched Windows 2000. But Microsoft has never released an OS to replace XP yet. :)

  6. Maybe they took the time to get it right? by homesnatch · · Score: 5, Interesting

    Someone mentioned that Apple's delay was due to the patch causing a problem with some environment... Maybe Apple had to take the extra time to get it right.

    I would have preferred that Redhat did as well... The Redhat ES 4 patch for BIND left a couple of my DNS domains offline for a few hours.

    1. Re:Maybe they took the time to get it right? by itsdapead · · Score: 2, Funny

      Maybe Apple had to take the extra time to get it right.

      What, you mean, like, actually realize that any sort of hasty patch to a production system carries a risk of downtime or data loss which has to be weighed up against the risk posed by a security vulnerability?

      Nah - never attribute to rationality that which can be satisfactorally explained by incompetence.

      --
      In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
  7. leopard and syslogd by Speare · · Score: 5, Informative

    Now if only they'd fix the 100% CPU syslogd problem that's been around since Leopard's release. leopard syslogd I don't use TimeMachine at all, so most people's theories implicating TM is probably not accurate. I'll leave the MBP on overnight and when I wake up the CPU heat is way above normal because syslogd crapped itself again. (The fan speed vs CPU heat function is also pretty sucky.) Some video glitches even start appearing when the CPU heat stays high for a while. I'm going to just kill it hourly by cron, but Apple should also get its butt in gear and just fix it.

    --
    [ .sig file not found ]
    1. Re:leopard and syslogd by Anonymous Coward · · Score: 4, Informative

      Fix the syslogd problem:

      launchctl stop com.apple.syslogd

      rm -rf /var/log/asl.db

      launchctl start com.apple.syslogd

    2. Re:leopard and syslogd by whyloginwhysubscribe · · Score: 5, Funny

      It must be bad - even cuil has hits relating to this: http://www.cuil.com/search?q=leopard+syslogd

    3. Re:leopard and syslogd by illumin8 · · Score: 2, Interesting

      Now if only they'd fix the 100% CPU syslogd problem that's been around since Leopard's release. leopard syslogd I don't use TimeMachine at all, so most people's theories implicating TM is probably not accurate.

      Dude, that problem has been around since October of 2007, when Leopard was first released. It's been fixed and I think it's related to spotlight trying to index your syslog files. Seriously, if it's still bothering you that much, google for a fix or call Apple tech support.

      --
      "When the president does it, that means it's not illegal." - Richard M. Nixon
    4. Re:leopard and syslogd by Anonymous Coward · · Score: 2, Funny

      "Aha! A Slashdot article about an unrelated bug on Apple machines being fixed! Now that I have Apple's undivided attention, I'll mention a completely different bug in Slashdot's comment system! THAT'LL get it fixed!"

    5. Re:leopard and syslogd by chromatic · · Score: 2, Funny

      This is why Mac OS X will never be ready for the desktop!

      --
      how to invest, a novice's guide
  8. "not enabled by default" by Anonymous Coward · · Score: 2, Informative

    The release notes for this patch say Bind "is not enabled by default". Why is everyone leaving out that detail when most of us do not run servers.

  9. DNS patch causes BIND blunder by MacColossus · · Score: 5, Interesting

    http://www.zdnet.com.au/news/security/soa/DNS-patch-causes-BIND-blunder/0,130061744,339290928,00.htm Could this have been what took Apple so long? Not as entertaining as posting "Apple sucks", but worth a look nonetheless.

  10. KaminskyKaminskyKaminsky by Timothy+Brownawell · · Score: 2, Interesting

    At least they're down to only using his name twice in the summary, even if one of them is in the title... I'd been starting to wonder if all the articles about the DNS bug were really just about how l33t he was for publicizing it and having it fixed.

  11. DNS exploit affects OSX 10.x and up by Anonymous Coward · · Score: 2, Informative

    http://www.juniper.net/security/auto/vulnerabilities/vuln30131.html

    That's a whopping list of vulnerable stuff there.
    I wonder if Apple took a survey, of who was still using older versions.
    I have read probably over 40% of internet users don't use updated browsers. http://blogs.stopbadware.org/articles/2008/07/01/forty-percent-of-users-use-insecure-web-browser
    If that many users can't update browsers, how many can update their OS? Especially since browsers (and updates) are mostly free, you'd think they'd be more likely to be updated!