toggle

AAPL Stock: 100.53 ( -0.04 )

Printed from http://www.macnn.com

Analysts: Apple slack in fixing DNS flaw

updated 12:20 pm EDT, Tue July 29, 2008

Apple slow on DNS bug

Apple has taken an unreasonable amount of time in fixing a DNS bug within Mac OS X, according to security consultant Rich Mogull. The bug in BIND (Berkeley Internet Name Domain) -- which has public code available for a security exploit -- was discovered in February by researcher Dan Kaminsky, and a month later, groups such as Cisco and Microsoft met to determine how to fix it. While BIND was only patched on July 8th, Apple has still had weeks to incorporate this into Mac OS, says Mogull.

"It's not sending a real good message," he complains. "If they don't patch this in a reasonable time, they're putting their customers at risk."

Apple has so far chosen not to comment on how long it has known of the DNS bug, or if and when a security update will be released. Kaminsky notes however that relatively few people run BIND on Mac OS X Server, and that those who do may not need Apple to "hold their hand" in patching BIND themselves. "If there was a huge population of people behind DNS servers running OS X, I'd be more worried. That's not a dig [against Apple], it's just a statement."




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. jhawk95

    Joined: Dec 1969

    -2

    The sky is falling!

    Or is it Apples? OMG! What will we ever do! Run for cover before we all die.

    Because Apple computers and servers are just downright failing everywhere. My iMac, my MacBook Pro (Intel), my iPhone, my iPod Classic (160 GB) are all at risk.

    Lions and Tigers and bad Apples, oh my!

    I have not had a virus, Trojan horse, or security issue with ANY Apple product since OS9.

    This guy can go blow it out his A$$. Apple will fix it when they get around to it. If it were important, it would have already be patched.

    Show me ONE (1), just ONE, person in the wild who this has affected.

  1. jhawk95

    Joined: Dec 1969

    -8

    The sky is falling!

    Or is it Apples? OMG! What will we ever do! Run for cover before we all die.

    Because Apple computers and servers are just downright failing everywhere. My iMac, my MacBook Pro (Intel), my iPhone, my iPod Classic (160 GB) are all at risk.

    Lions and Tigers and bad Apples, oh my!

    I have not had a virus, Trojan horse, or security issue with ANY Apple product since OS9.

    This guy can go blow it out his A$$. Apple will fix it when they get around to it. If it were important, it would have already been patched.

    Show me ONE (1), just ONE, person in the wild who this has affected.

  1. testudo

    Joined: Dec 1969

    -3

    apparently

    you have no idea the type of issue this problem creates. It isn't an OS X virus or trojan. It is a DNS problem beyond the scope of the OS at all.

    And, of course, there aren't many exploits, since most everyone else has already patched it!

  1. resuna

    Joined: Dec 1969

    +4

    It's real useful for...

    It's real useful for targeted attacks against OS X connection sharing users.

  1. jhawk95

    Joined: Dec 1969

    -1

    Testudo

    Ok, so how does this affect little ole me then... sitting at home, on my home network, which uses a wireless 802.11N router, with non-broadcast SSID with a unique name, WPA encryption, Mac Address Filitering, and a password that is 28 character long?

    What can they do to the DNS? I am not running a Mac Server! If I visit a site with a Mac Servers, what damage can be done to me?



  1. nativeNYer

    Joined: Dec 1969

    +6

    Serious, but…

    only if running an OS X Server using BIND. Otherwise, this is a non-starter. But for anyone using OS X server to run DNS services, this is a very serious flaw that needs to get patched ASAP. If I were running such a server, I would consider stopping using DNS services on it until a fix were released, that's how serious this can be. No joke, read up on it.

    However, it's no surprise to me that Apple is taking their time to release a patch for their server product. It's become very clear over the last 2 yrs or so that Apple does not give a rat's @ss about their server platform. Leopard server was released with so many bugs it was practically unusable in it's initial released state. That's just unacceptable for a server product. Make no mistake, Apple cares not one iota about their server market. Steve J has iPhones and iPods dancing in his eyes & that is apparently all he gives a damn about.

  1. ViktorCode

    Joined: Dec 1969

    +1

    Stories like this

    ... make me laugh. Yes, I know the bug isn't something to underestimate. Yes, I know what time it takes Apple to patch the bug, and this period is longer than that of the competition.However, I know also that security analysts are VERY bad at predicting actual risk for users, especially when they talk about Apple. We see news like this one every month, and it goes on for years. OS X users are always at risk and always had been. But somehow Microsoft Windows users are those who count as casualties, despite Microsoft having very short period of issuing patches. There are many reasons for it and popularity of the system is just one of many factors counting towards actual risk. Let me put analysis of my own: in following months we will see many reports on unpatched vulnerabilities in OS X reminding us that we are still at risk. Outside of comments on news sites these vulnerabilities won't produce any effect.I know this because like I said security experts usually turn out to be very poor analysts. Though you guys doing a really good job of finding new vulnerabilities, thank you for that.

  1. bsnoel

    Joined: Dec 1969

    +4

    jhawk95

    First, this vulnerability is not OS Specific and it impacts a vast array of OSes and devices. It does include both DNS servers and desktop computers which all have stub DNS resolvers in them. However, in reality the vast majority of hackers would rather go after a DNS server and are not very likely bother with an individual client. This does not mean that a client is safe. A poisoned DNS cache on a DNS server can be a very serious threat to anyone. By reading your posts, you obviously don't fully understand the impact of DNS cache poisoning. If I tricked your ISP's DNS servers into giving a poisoned answer for paypal.com, yourbank.com, cnn.com, whatever.com; your browser would be sent to my address instead of the real site that you intended to visit. Using this attack, I could setup spoofed websites that mirror the original site down to the last detail and I could launch, key loging, fishing, drive-by attacks, etc, the possibilities are endless. Finally, Apple does sell OS X server and they have many customers that use OS X server. They have an obligation to patch vulnerabilities. The obligation is further elevated by the fact that the exploit for this issue is currently active in the wild and has very serious ramifications for security.

  1. manleycreative

    Joined: Dec 1969

    -2

    Oh yeah!

    DNS bug deniers are like holocaust deniers! AHHHHH! lol. Figured I'd throw that ole blame out there. This discussions was starting to sound like a global warming debate.

  1. robttwo

    Joined: Dec 1969

    -2

    just like global warming

    They both are overblown bullshit, and most of the 'experts" stand to make money if all the lemmings of society believe them.

    Doofuses.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Life n Soul 8 Driver Bluetooth headphones

When it comes to music on the go, consumers generally have some options to consider when looking for the best experience. While Blueto ...

Pure Jongo T2 wireless speaker

Multi-room audio compatibility is a key metric for wireless sound systems these days. The entry cost into a house-spanning system can ...

Logitech Z213 multimedia speakers

Desktop computer speakers sit in a weird area of limbo: many consumers have forgone the era of desktop listening for the privacy and v ...

toggle

Most Commented