updated 12:20 pm EDT, Tue July 29, 2008
Apple slow on DNS bug
Apple has taken an unreasonable amount of time in fixing a DNS bug within Mac OS X, according to security consultant Rich Mogull. The bug in BIND (Berkeley Internet Name Domain) -- which has public code available for a security exploit -- was discovered in February by researcher Dan Kaminsky, and a month later, groups such as Cisco and Microsoft met to determine how to fix it. While BIND was only patched on July 8th, Apple has still had weeks to incorporate this into Mac OS, says Mogull.
"It's not sending a real good message," he complains. "If they don't patch this in a reasonable time, they're putting their customers at risk."
Apple has so far chosen not to comment on how long it has known of the DNS bug, or if and when a security update will be released. Kaminsky notes however that relatively few people run BIND on Mac OS X Server, and that those who do may not need Apple to "hold their hand" in patching BIND themselves. "If there was a huge population of people behind DNS servers running OS X, I'd be more worried. That's not a dig [against Apple], it's just a statement."