Worm Threat Forces Apple To Disable Software? 201
SkiifGeek writes "After the debacle that surrounded the announcement and non-disclosure of a worm that targets OS X, the vulnerability in mDNSResponder may have forced Apple to remove support for certain mDNSResponder capabilities with the recently released Security Update 2007-007. 'Seeming to closely follow the information disclosed by InfoSec Sellout, Apple's mDNSResponder update addresses a vulnerability that can be exploited by an attacker on the local network to gain a denial of service or arbitrary code execution condition. Apple goes on to identify that the vulnerability that they are addressing exists within the support for UPnP IGD... and that an attacker can exploit the vulnerability through simply sending a crafted network packet across the network. With the crafted network packet triggering a buffer overflow, it passes control of the vulnerable system to the attacker. Rather than patching the vulnerability and retaining the capability, Apple has completely disabled support for UPnP IGD (though there is no information about whether it is only a temporary disablement until vulnerabilities can be addressed).'"
Hmmm... (Score:3, Interesting)
http://developer.apple.com/opensource/internet/bo
Is Apple the developer of mDNSResponder or are they just using it?
At least they disabled it! (Score:4, Interesting)
But at least they decided that it's better to disable the feature and minimize the damage to the net as a whole (and yes, even if you don't have an Apple, a worm damages you by clogging your tubes with packets trying to spread itself). MS decided that it's better to keep the insecure service up and running 'til it can be addressed.
Question for 100: Still getting sober/blaster packets? I do.
Re:Standard Operating Procedure? (Score:5, Interesting)
1. Implement it to Microsoft's spec.
2. Implement it correctly (by choosing a direction in places the spec contradicts itself or real implementations).
3. Implement it securely.
Choose only one.
I do not think it is possible to implement UPnP securely and have it based on the spec. Also, the specific code they removed existed only for legacy NAT traversals and may not even be needed any more.
"additional validation" or "disabled support" (Score:3, Interesting)
Clearly something is unclear since iChat is obviously still using UPnP IGD, likely as a client?
But why is the mDNSResponder using UPnP IGP anyway? mDNS is for service discovery etc and is basically a competitor to UPnP (I thought). Perhaps there is a way for mDNSResponder to leverage UPnP IGP to broadcast service messages (e.g. bonjour) across a local NAT? If so I've never seen nor heard of this working -- so perhaps what they're disabling is vulnerable code that wasn't doing anything anyway?
Comment removed (Score:3, Interesting)
Who wants to bet... (Score:3, Interesting)
I bet there's a secret cabal at Microsoft that is working on this very thing.
Now that Apple has disabled uPnP compatibility.... (Score:3, Interesting)
Re:Moderations tell all (Score:1, Interesting)
Apple failed because for the longest time its software development process was the most closed, convoluted and anti-developer process of all. Even though I'm no fan of Microsoft, it is readily apparent why they are the #1 OS, and I shudder to think what would have happened had the roles been reversed.
Slashdot is full of holier-than-thou, religiously idealistic fanatics and OS X is every bit as crash prone and unreliable as Windows, and I know the argument has probably been made to death but I entertain no doubts that had Apple become a dominant player instead of Windows, there would be a plethora of exploits out for OS X, and since Microsoft focused on something called backward-compatibility because it's what people wanted, numerous old viruses will still work - not so with Apple, which radically changes their OS every few years. There is no inherently superior security in OS X; the plain fact is that pretty much every OS out there that is little more than a curiosity has very few exploits, and for those people who blame Microsoft for vendor lock-in, OS X is the ultimate in vendor lock-in, and Apple historically has done everthing within its power to bury what competition it can actually compete with, such as by withholding specifications from Be Inc and forcing that company, which had a technically superior OS at the time, to target a more open Intel-based platform.
For all the complaints about Microsoft, maybe the people here who mod honest facts down or take jokes way too seriously should pull their head out of their collective ass and realize that in the end we're just talking about an operating system and not a god damned religion.
Re:Standard Operating Procedure? (Score:5, Interesting)
Can you show me an implementation of UPnP that hasn't had bugs? According to wikipedia [wikipedia.org] security is a problem with the spec itself. It's getting so bad that some major router manufacturers are disabling the routing of UPnP packets by default on their non-consumer (and a few consumer) networking appliances.
And my list was more of a dig at OOXML rather than being security related.
Re:*Pulls out a plate 'o crow* (Score:4, Interesting)
I hope this indicates a return to sensibility at Apple. Lately they are trying so hard to be like MS, that the security has suffered. Can't turn off HTML in email is at the top of my security vulnerabilities.