Slashdot Log In
Apple Still Has Not Patched the DNS Hole
Posted by
kdawson
on Mon Jul 28, 2008 07:17 PM
from the get-with-it-already dept.
from the get-with-it-already dept.
Steve Shockley notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."
Related Stories
[+]
Kaminsky's DNS Attack Disclosed, Then Pulled 281 comments
An anonymous reader writes "Reverse engineering expert Halver Flake has recently mused on Dan Kaminsky's DNS vulnerability. Apparently his musings were close enough to the mark to cause one of the Matasano team, who apparently already knew of the attack, to publish the details on the Matasano blog in a post entitled 'Reliable DNS Forgery in 2008.' The blog post has since been pulled, but evidence of it exists on Google and elsewhere. It appears only a matter of time now before the full details leak."
Reader Time out contributes a link to coverage on ZDNet as well.
[+]
Attack Code Published For DNS Vulnerability 205 comments
get_Rootin writes "That didn't take long. ZDNet is reporting that HD Moore has released exploit code for Dan Kaminsky's DNS cache poisioning vulnerability into the point-and-click Metasploit attack tool. From the article: 'This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.' Here's our previous Slashdot coverage."
[+]
Patch DNS Servers Faster 145 comments
51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis.
[+]
Apple Patches Kaminsky DNS Vulnerability 89 comments
Alexander Burke writes "Apple has just released Security Update 2008-005, which patches BIND against the Kaminsky DNS poisoning issue. 'This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1.' It also closes the script-based local privilege escalation vulnerabilities, the most common examples of which were ARDAgent and SecurityAgent, and addresses other less-publicized security issues as well." A few days back we noted Apple's tardiness in fixing their corner of this Net-wide issue.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Typical Apple Situation (Score:5, Funny)
Waiting for the port.
Never been truer (Score:5, Funny)
There is always one bad Apple (tm) that spoils the whole bunch.
Parent
t3h horror! (Score:5, Funny)
Are there any statistics on how many Macs are being utilized as DNS servers? Is it more than three? [runs away]
Re:t3h horror! (Score:5, Funny)
I would bet it's about as many as are being used as servers, which is not many.
Parent
Re:t3h horror! (Score:5, Funny)
I'm not sure. But what I do know is that the patch is going to require a hardware upgrade; Apple would have it no other way.
[runs and hides]
Parent
Re:t3h horror! (Score:5, Funny)
Parent
Re:t3h horror! (Score:5, Funny)
Either that, or a $20 charge for "new features"...
Come now, give Apple some credit. This isn't just some run-of-the-mill bug, this is a serious security issue that could cause their customers some serious harm if not fixed.
I'd expect $100 at least; or perhaps they'll introduce the innovative "iLease", with a "lease to own" path for the fixed bug where it's patched permanently on your server after only three years of monthly bug fix rental.
Parent
Re:t3h horror! (Score:5, Funny)
Parent
The patch is undocumented (Score:5, Funny)
Right on (Score:5, Insightful)
Parent
Mac OS X ...Server? (Score:5, Funny)
Wait, what?
Re:Mac OS X ...Server? (Score:5, Funny)
Parent
Re:Mac OS X ...Server? (Score:5, Informative)
Hmm ... I don't think I'd recommend a Mac OSX machine for a server, especially to a small site without technical expertise. When I tried this a couple of years ago, it took me the longest time to figure out why not only that machine, but also a lot of machines in the neighborhood, were so flakey.
One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server. If there's already a DNCP server anywhere on the local network, you now have two of them battling it out, and the symptoms aren't something I'd wish on anyone but a networking expert. Apple's CS people were supremely unhelpful, too. They just made it clear that my problem was that we were running non-Apple equipment on the network, and we would have to shut them off before they could diagnose the problem. Yeah, right. I shut the OSX box off instead, and then started learning what it took to explain why that fixed the other machines' problems. If you're a novice, you really don't need a rogue DHCP server on your network. When the other users figure out that it's on your machine, they will not be very friendly.
I've also experimented with an OSX web server. The main problem here is that OSX does funky things with file names, starting with their "caseless" feature. This works if everything was developed on OSX. But if you're running a web server, you're probably going to be including things from other machines in the vicinity. If they're not OSX, you'll go crazy trying to figure out what's going on with the file names. And you probably won't be able to fix it.
The conventional answer you get from the OSX folks is to run the HFS+ file system, which supports case. Well, I tried that. It turns out you have to reformat the disk for HFS+; you can't just flip a bit to turn HFS into HFS+. I did that, and reloaded from backup. Then a couple months later, we had some problems with the disk. I sent it off to Apple for diagnosis, and it came back apparently fixed. Actually, they had replaced it with a new disk, and they copied all our files over. It was formatted as HFS. Oooops! This happened a couple of times with other Macs, so it seems to be a systemic problem. Pointing out to them that you're using HFS+ has no effect.
And even with HFS+, there are some funky file naming problems that I don't understand. I saw a lot of cases where an rsync would produce strange file names on just the OSX system. Linux, Solaris, *BSD systems, and usually even Windows could rsync back and forth, and they'd end up with the same file names (though Windows would proceed to ignore case and get the wrong files at times). But on OSX, we'd see non-ASCII chars simply garbaged with no obvious pattern.
So unless you know that you'll never want to copy directories full of files from a non-OSX machine, I'd advise against using OSX as a serious server. It won't work, and Apple's people won't cooperate with diagnosing the problems. (And you'll just get insults if you mention it here on /. ;-). Save yourself the headaches and wasted weekends, and build a server with a real unix-type file system that accepts any bit patterns except '/' and NUL in file names without damaging them.
(And I have occasionally wished that I could use '/' and NUL in file names. I wonder if there's a system that allows all 256 8-bit bytes in a file name... ;-)
(And I wonder if there are linux systems that do "intelligent" things with file names. If so, should we also be warning people to avoid them as servers?)
Parent
Re:Mac OS X ...Server? (Score:5, Informative)
OK. I'll start from the beginning.
All the 'internet sharing' devices and operating systems (including Windows XP) will fire up a DHCP server on the LAN they're sharing to, that's what internet sharing is, a single device acting as a NAT/RIP gateway for several other machines. DHCP is quite a simple service (too simple if you ask me, given this particular problem), if you -sometimes- get IPs and other times do not, there's probably a contending DHCP server on your LAN that needs to be hunted down and killed. This is netwoking 101. You never plug the 'LAN' side of a NAT device into a LAN that already has a DHCP server, unless you're sure you know what you're doing.
Second, regarding the 'case issues'. There is a case sensitive option (that you -can- flip arbitrarily) in HFS+. There are -case issues- if you're doing some kinds of things (CVS checkouts of source directories with colliding names, etc.), but generally nothing that a little understanding wouldn't fix.
Why on -earth- you would use HFS at all instead of HFS+ is beyond me. That's trying to install Windows on a FAT16 disk. HFS+ has its strong and weak points, but HFS is a dead -dead- dinosaur.
It really sounds like your mac experiences were from the early 10.x days or even the Classic Times of Olde. I've admin'd several OS X (10.3 - 10.5) servers that do printing, file sharing, VPN, directory services, desktop management, web serving, and even Windows Domain Control, and I've never had a problem with anything you're talking about.
That being said, I do prefer Linux, but that's just because it's cheap and it runs on anything.
Parent
Steve Jobs? (Score:5, Insightful)
Maybe because he is sick/out of work is why they can't patch it (They fear their boss might yell at them for patching it without his consent...)
OR They are so stubborn that they believe there is and never will be anything wrong with a Mac.
OR They are still testing the patch (highly unlikely since it has little interference with how the server functions...)
Sure, they can get away with a whole lot of stuff since they aren't a monopoly like MS, but, this is just wrong.
Automated Email Reply (Score:5, Funny)
Dear valued Apple customer:
We received your message regarding "unpatched Mac OS X Server security hole". We appreciate your business, and we will do everything to address your concerns as soon as possible. Unfortunately, Steve is away from his desk on leave due to health concerns related to his non-lethal pancreatic cancer. He will be happy to fix the problem with "unpatched Mac OS X Server security hole" as soon as he returns to work.
Sincerely,
Apple Customer Service
Apple + patches == ohnoes (Score:5, Interesting)
As someone that's cursed to administer an OS X Server machine, I have nothing good to say about Apple in general and OS X Server in particular. Apple's history of patching---or, in this case, not patching---stuff has been lukewarm at best and downright abysmal at worst. The Server 10.5.3 update introduced something that causes ClamAV to crash/reboot a Server machine when mail is turned on (since ClamAV is on by default. Nice one. They've had other stellar examples of their extreme lack of QA for their Server software, such as updating their included PHP to a version that was known to break Squirrelmail (the default webmail that comes with OS X Server), even though a fix had been available for months from the PHP maintainers.
I'm a huge fan of FreeBSD. I have been doing this OS X Server thing for more than two years now. I went in to it with an open mind, hoping that Apple wouldn't screw things up too badly. I was disappointed. The only things I've learned is that their Server QA is awful, they don't actually use their own Server software internally, their customer service is horrible when it comes to their Server stuff and their Server documentation is awful. I could rant about that for several pages. All of this leads me to believe that Apple really doesn't want to do well in the "server" segment of the market...Which is really too bad, cause they've finally got the hardware side of it to the point where there's not much separating them from most other low-end server vendors.
Now, that I've got that all that off my chest, Apple's dropped the ball on the BIND update. This is not surprising. Anyone that's administered OS X Server for any length of time probably feels the same way. It's so bad that I will suppress my OS X experience next time I am in the job market again; I hope to never work with OS X (particularly as a server) again and will do everything in my power to avoid doing so. I'm batting a thousand on persuading people interested in using OS X Server to use anything else...Apple really has to get things together or get out of the "server" market.
Apple not alone in leaving DNS hole unpatched (Score:5, Interesting)
I have a DSL broadband subscription with AT&T (it used to be a small local company and they got bought by whatever is now called AT&T).
I noticed that their DNS was unpatched and I used their support forms to report the problem.
The reply came only a few hours later. To quote: "We regret we cannot help you with your WorldNet dialup problem".
Huh?
So their networking department is not patching critical protocol flaws, and they programmed their answerbots to laugh at us users if we attempt to point out said flaws. Since when does Simon the BOFH work for AT&T DSL support?
AT&T network admin? It's a great job if you can get it.
Given the issues this caused with vista... (Score:5, Informative)
Given the issues [theregister.co.uk] this patch caused with vista, i'm not at all surprised they're putting more thorough testing through on this.
Apple does not want to lose it's "just works" reputation my slaughtering internet connections on its platforms.
Re:in case you didnt get the memo (Score:5, Insightful)
What are you smoking? Apple has always been evil. Extremely litigious and questionable methods.
Parent
Re:OS X Server not for critical infrastructure (Score:5, Funny)
OS X Server is for schools
...because it's a learning experience?
Parent
Re:Hey, I just wrote about this (Score:5, Insightful)
this is related to Apple's OS X Server product, which runs DNS (bind in fact), and many mac businesses do in fact use it, if even as a local DNS cache (which a simple fix now would be to configure their boxes to us opendns).
The bigger issue is this is a pretty big deal on the security front, all of the businesses that apple has to compete with in the server space (especially in the eyes of enterprise IT), have had a fix and a public statement about it out the door. Apple is the big unix vendor missing off the list, and has not even made a public statement as such to inform it's users about the issue. Not exactly the best way to talk about how secure their products are (client and server).
Of course, they still haven't gotten around to fixing the ARDAgent.app vulnerability from a few weeks back either.
Parent
Re:Hey, I just wrote about this (Score:5, Insightful)
There are many ways to get to a "protected" caching resolver. Users on the trusted network browse the web, send email, IM, etc.; all of those require DNS lookups, and many can be subverted to cause lookups of arbitrary names.
In any case, trying to excuse Apple by saying "not too many are affected" is crap. They shipped software that is now known to have security issues and it should be addressed. They've known there is a problem for almost 3 months and still have not done anything to protect their customers. If this was Microsoft, Sun, Red Hat, etc., people would be ranting about it, but since it is Apple, it must be okay.
Parent
Re:Apple meet real world (Score:5, Interesting)
Parent
Re:Is it really so hard? (Score:5, Insightful)
Personally, the brazen "stomp everywhere and expect the world to bow to their whims" attitude reminded me of Microsoft in the mid 90s.
Now, complacency with regards to security confirms it: Apple are following Microsoft's path 15 years after them.
It's just a matter of time until geeks wake up and start hating them. Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie. Everyone wanted to be Bill Gates back then, he was the noble knight/geek taking on the world and bringing down empires like IBM and DEC with his accessible to all consumer computers. It was only after Linux came on the scene that geeks turned on him like the fickle fashionistas that they claim they aren't.
Face it, Apple, like Microsoft before the, are just the flavor of the month.
Parent