Slashdot Log In
Apple Patches Kaminsky DNS Vulnerability
Posted by
kdawson
on Fri Aug 01, 2008 07:48 AM
from the cache-me-if-you-can dept.
from the cache-me-if-you-can dept.
Alexander Burke writes "Apple has just released Security Update 2008-005, which patches BIND against the Kaminsky DNS poisoning issue. 'This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1.' It also closes the script-based local privilege escalation vulnerabilities, the most common examples of which were ARDAgent and SecurityAgent, and addresses other less-publicized security issues as well." A few days back we noted Apple's tardiness in fixing their corner of this Net-wide issue.
Related Stories
[+]
Apple Still Has Not Patched the DNS Hole 296 comments
Steve Shockley notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."
[+]
Apple Clients Still Vulnerable After DNS Patch 94 comments
Glenn Fleishman sends word that SANS Institute testing indicates that, even after installing Apple's latest patch for the DNS vulnerability, Leopard desktops (not servers) are still vulnerable — or at least perpetuate risky behavior that makes exploitation easier. This matters because "With servers rapidly being patched worldwide, it's likely that the low-hanging fruit disappears, and vectors [will be] designed to attack massive numbers of clients on ISP networks."
[+]
Technology: Kaminsky Bug Options Include "Do Nothing," Says IETF 134 comments
netbuzz writes "Meeting in Minneapolis this week, the Internet engineering community is debating whether to aggressively fashion and apply fixes for the so-called Kaminsky bug in the DNS discovered this summer, or to simply let its threat stand as motivation for all to move with greater speed toward DNSSEC, which is considered the best long-term security solution. Problem with the latter approach is that DNSSEC has been in the works for a decade already, no one is confident it will be universally embraced, and the Kaminsky flaw is causing real problems today.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Good job apple (Score:3, Funny)
Re: (Score:2, Funny)
Tons of video artists and mountain climbers publish on Apple servers.
Re: (Score:3, Funny)
Right, just like he said, nothing important is hosted on Apple servers.
(Side note: Mountain climbers???)
Re:Good job apple (Score:5, Funny)
I don't think "tons" will get you very far when it comes to statistics.
I don't know... have you ever priced out a ton of artists? Those things are really skinny and you really get your money's worth.
The biggest rip-off is a ton of IT guys. You get like 1, maybe 1-1/2 in the whole damned load.
Parent
Re:Good job apple (Score:5, Informative)
Parent
Re:Good job apple (Score:4, Insightful)
Parent
Re: (Score:2)
Except for the army's web server...
Re: (Score:2)
hundreds of -thousands- of education institutions use apple -server-?
How many education institutions are there in the freagin world? I can count them on my fingers in my city of 150 thousand people. If there's just 200000 of em (required so it can be "hundredS" with an S), and we estimate 7 billion people on earth (thats much more than there actually is), and EVERY man, woman and child on earth, including babies, 3rd world country people, etc, attend on average 1 institution (I realise some people attend mo
Re: (Score:2)
It depends too on what they're running on the servers; I'm sure several say Xserve installations run something YellowDog. Just a thought.
They might have been slow... (Score:5, Funny)
Re:They might have been slow... (Score:5, Funny)
They might have been slow with this patch, but boy does it look good!
No OS X 10.3 version. Less secure than the PF workaround. Lame.
Parent
Re: (Score:3, Informative)
No 10.3 version? Cry me a river. Are you going to complain about the lack of Windows 98 version as well?
Whooosh? [slashdot.org]
Re: (Score:2)
Whooosh? /. readership for judging a market.
Wow, that is a blast from the past. Reading that just goes to show why you shouldn't be using the
Re: (Score:3, Interesting)
To be fair, 10.3 was released in 2003. Windows 98 was released in....1998. A little bit of a difference there.
Basically, you are forced to pay to get a security update that older OSes, even Microsoft ones are recieving for free (as they should). I'd be really pissed if MS forced us to pay to upgrade our Win2k3 domain controller for the update. You could have bought an Xserve in 2005 with 10.3, and not be able to get this update without upgrading your entire OS. Only 3-year support on a server? That's l
Re: (Score:2)
To be fair, 10.3 was released in 2003. Windows 98 was released in....1998.
And SUSE 9.3 was released in 2005 - no automatic update there either.
Re: (Score:2)
Well, you can grab the latest Bind for free, too. In fact, you can upgrade much of the OS X userland for free. Can you do that with Microsoft?
Looks like it's all quite the mishmash.
Re: (Score:2)
But you can grab a new release of SuSe for free.
So to fix the DNS vulnerability on SUSE 9, all I have to do is install a new OS?
Re: (Score:2)
why not, that was what sun told us about solaris 9. They said there is not an automatic patch for solaris 9, but to update to solaris 10 or install our own version.
Re: (Score:2)
Anyone remotely considering Apple for their enterprise hardware will probably immediately disregard them after this.
Anyone remotely considering Apple for their enterprise hardware has already drunk the koolaid.
Seriously, if you think Apple is the right solution for your server, I see two possibilities:
1. you're running something very Apple-centric, that's cool
-or-
2. you don't even know of the alternatives and are deaf blind and stupid.
Re: (Score:2)
-or-
3. you do know of an alternative, but it's from Microsoft.
Re: (Score:2)
This patch is really good! (Score:2)
It seems to do more than patch DNS; my whole system is a lot snappier because of it. And I haven't even installed it yet!
Re:They might have been slow... (Score:4, Interesting)
They were notified in January.
Parent
Re: (Score:2, Informative)
...and the BIND patch wasn't available from their upstream source until June based on the dates I see. Slow turn around on Apples part given June availability but it looks like it was in the queue behind a few other security fixes that are actually of more importance to your average Mac OS X user (very few run named and few still in a configuration that would be vulnerable).
Note folks running named could have updated BIND on their own (installed an alternate version until Apple release this software update)
Re: (Score:3, Informative)
(very few run named and few still in a configuration that would be vulnerable).
Most Mac OS X client users do not run named, but they do use the system's stub resolver, which I believe is linked to BIND and does not randomize source ports when querying your local DNS server. This means someone could spoof replies from your DNS server in response to queries coming from your Mac. This is MUCH less of a problem than a vulnerable DNS server, because it requires a very localized attack, but it's still an issue.
Ahhhhhh (Score:5, Funny)
The clients still vulnerable ?? (Score:3, Informative)
ISC seems to think so : http://isc.sans.org/diary.html?storyid=4810
Anybody care to test it for real using both an apple server and laptop, using dnsoarc, to get some real info?
Re:The clients still vulnerable ?? (Score:5, Informative)
Done! See Swa Frantzen's update at the isc [sans.org] Seems like they may have patched the server code, but the client is still using sequentially incrementing ports.
Parent
That would be a lookupd issue... (Score:2)
That would be an issue for lookupd...
Personally, I'm pretty down on the whole idea of caching resolvers like lookupd, nscd, and Microsoft DNS Client.
No patch for OS X 10.3 ? (Score:5, Interesting)
As much as I love Apple, it bothers me that they do not release security patches for versions earlier than n-1 (where n is the current release).
Mac OS X 10.3 server dates back to October 2003 (http://www.apple.com/pr/library/2003/oct/08pantherserver.html), so it's just short of 5 years. It's not THAT old, especially for a server products that's likely to be used in some SMEs.
Or is 10.3 not affected ?
Re: (Score:2)
As much as I love Apple, it bothers me that they do not release security patches for versions earlier than n-1 (where n is the current release).
You know that under the hood Mac OS X is Unix. It's not that hard to simply get the latest version of Bind and install it yourself. Here are some simple instructions [tidbits.com] on how to do it but it's basic stuff that any system administrator should know. (Personally, I'd install it in /usr/local instead of /usr and symlink to that rather than blowing away the version installed by Apple but then again that's something any computer admin worth his salt should also know.)
Apple doesn't patch versions of Mac OS X that
Re: (Score:2)
Woah, hold on there. Most Macs don't have a system administrator.
We are talking about a vulnerability for SERVERS.
Bind [wikipedia.org] is DNS SERVER software. The vulnerability targets SERVERS, not your home operating system. SERVER administrators should know how to patch their SERVERS.
For non-servers this is not a serious vulnerability since you have to explicitly enable Bind and set it up to use it on your system. Guess what, if you are doing that then YOU have become a SERVER ADMINISTRATOR and you better know what you are doing!
What if I'm not running 10.4.11? Will I be able to apply security patches? The answer is no. Even if a patch has nothing to do with if you are at 10.4.11 or 10.4.9 you'll have to update to the most recent version. It plays hell with anyone trying to have a stable, yet secure, environment.
If you are a normal home user there is very little re
Re: (Score:2)
As much as I love Apple, it bothers me that they do not release security patches for versions earlier than n-1 (where n is the current release).
Mac OS X 10.3 server dates back to October 2003 (http://www.apple.com/pr/library/2003/oct/08pantherserver.html), so it's just short of 5 years. It's not THAT old, especially for a server products that's likely to be used in some SMEs.
Or is 10.3 not affected ?
As much as I love Linux, it bothers me that many Linux distributions are even worse. For example, Fedora Core 6 and Ubuntu 6.10 were both released in October 2006 (a year and a half after the still-supported Mac OS X 10.4), but support for both of them was dropped several months ago.
And yes, of course Mac OS X 10.3 is affected.
Re: (Score:2)
Who runs a critical server like DNS on a version of the OS that is 5 years old?
SMEs using a local DNS cache ? Well, of course they shouldn't do it considering the OS is not maintained anymore. But this does not make their desire to do it any less legitimate.
You can't blame SMEs wanting to use an asset that still has value in their books. Depreciating a server over a 5 years lifespan doesn't even seem all that unreasonable.
Re: (Score:3, Insightful)
Well, Microsoft [microsoft.com], a company famed around here for 'planned obsolescence', managed to patch both XP and 2000. You'll note that both of those are more than 7 years old.
Re: (Score:3, Insightful)
I really am surprised that they patched Windows 2000. But Microsoft has never released an OS to replace XP yet. :)
Re: (Score:2)
Who runs a critical server like DNS on a version of the OS that is 5 years old?
Who upgrades the operating system on a critical server like DNS more often than every 5 years? I usually only reboot my servers about once a year, and you want me to reinstall the OS every time I do?
Maybe they took the time to get it right? (Score:5, Interesting)
Someone mentioned that Apple's delay was due to the patch causing a problem with some environment... Maybe Apple had to take the extra time to get it right.
I would have preferred that Redhat did as well... The Redhat ES 4 patch for BIND left a couple of my DNS domains offline for a few hours.
Re: (Score:3, Funny)
Maybe Apple had to take the extra time to get it right.
What, you mean, like, actually realize that any sort of hasty patch to a production system carries a risk of downtime or data loss which has to be weighed up against the risk posed by a security vulnerability?
Nah - never attribute to rationality that which can be satisfactorally explained by incompetence.
leopard and syslogd (Score:5, Informative)
Now if only they'd fix the 100% CPU syslogd problem that's been around since Leopard's release. leopard syslogd [google.com] I don't use TimeMachine at all, so most people's theories implicating TM is probably not accurate. I'll leave the MBP on overnight and when I wake up the CPU heat is way above normal because syslogd crapped itself again. (The fan speed vs CPU heat function is also pretty sucky.) Some video glitches even start appearing when the CPU heat stays high for a while. I'm going to just kill it hourly by cron, but Apple should also get its butt in gear and just fix it.
Re:leopard and syslogd (Score:4, Informative)
Fix the syslogd problem:
launchctl stop com.apple.syslogd
rm -rf /var/log/asl.db
launchctl start com.apple.syslogd
Parent
Re: (Score:2, Funny)
This is why Mac OS X will never be ready for the desktop!
Re:leopard and syslogd (Score:5, Funny)
Parent
Re: (Score:3, Interesting)
Dude, that problem has been around since October of 2007, when Leopard was first released. It's been fixed and I think it's related to spotlight trying to index your syslog files. Seriously, if it's still bothering you that much, google for a fix or call Apple tech support.
Re: (Score:2, Funny)
"Aha! A Slashdot article about an unrelated bug on Apple machines being fixed! Now that I have Apple's undivided attention, I'll mention a completely different bug in Slashdot's comment system! THAT'LL get it fixed!"
"not enabled by default" (Score:2, Informative)
The release notes for this patch say Bind "is not enabled by default". Why is everyone leaving out that detail when most of us do not run servers.
DNS patch causes BIND blunder (Score:5, Interesting)
Re: (Score:2)
Could this have been what took Apple so long? Not as entertaining as posting "Apple sucks", but worth a look nonetheless.
That's an interesting theory, but doesn't look too likely. The flawed patches are the ones ending in "P1" which seem to be what OS X systems are upgraded to. Maybe they worked around that with other code, but there is not really any evidence to support that theory. Someone should probably test it.
KaminskyKaminskyKaminsky (Score:3, Interesting)
DNS exploit affects OSX 10.x and up (Score:2, Informative)
http://www.juniper.net/security/auto/vulnerabilities/vuln30131.html [juniper.net]
That's a whopping list of vulnerable stuff there.
I wonder if Apple took a survey, of who was still using older versions.
I have read probably over 40% of internet users don't use updated browsers. http://blogs.stopbadware.org/articles/2008/07/01/forty-percent-of-users-use-insecure-web-browser [stopbadware.org]
If that many users can't update browsers, how many can update their OS? Especially since browsers (and updates) are mostly free, you'd think they'd be mo