Apple Still Has Not Patched the DNS Hole

Steve Shockley notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."

Re:OS X Server not for critical infrastructure

[bluefoxlucid]

OS X Server is for schools and such that use Macs for everything else, so an Apple server is a natural fit.

As a hacker, I welcome the concept of hooking up one giant monoculture. Chances are if you misconfigure X or fail to patch Y on my entry point, I've got the same back door all over your whole network.

As a security consultant... who am I kidding, I rape the network and give you a stack of paper saying you should have relied on Unix-like/Windows/Apple boxes by purpose, citing specific software supported on each (i.e. Apache vs. IIS, php, MySQL vs MS SQL Server); and point out that making one big singly-deployed network only makes my job easier, especially when your administrators are more used to purpose X on platform Y.

Re:Slashdot and Apple Schizophrenia

[Shados]

If all you had to do was keep a constant opinion, what would be the freagin point of posting at all? Bunch of zombies that all say the same thing, oh yeah, very constructive (though its ALMOST what it is anyhow).

Whats important is how constructive what you say is and if it adds value to the discussion (and yes, being funny does add value).

The system is broken, but not as much as one would think... Most the moderations I get on pro-Windows post get modded up (and those that get modded down, half of the time its because I was not constructive and only ranting), on such an anti-MS web site... so its not completly hopeless.

Re:Apple meet real world

[sxeraverx]

apple was never secure. It was just unused. The exact same thing is going ATM with their X server. Not so much a security flaw (though it might be) as much as a major bug. If you send too many events at once (not insane amounts, just a lot) it simply crashed, bringing down all the X apps with it. Upstream was fixed over a year ago, they just refuse to roll out an update. I guess it's an attempt to make debs port to coco/carbon/whatever-it's-called, but for some of us, that's just not an option. More specifically, it's a program developed by part of a university bioinformatics lab, and we just don't have the manpower or the grant support to do it. So we're either stuck with only supporting Linux, trying to find a wrkaround, or just ignoring it and hope it doesn't happen to often. The last option is what we ended up choosing.

Apple + patches == ohnoes

[HEMI426]

As someone that's cursed to administer an OS X Server machine, I have nothing good to say about Apple in general and OS X Server in particular. Apple's history of patching---or, in this case, not patching---stuff has been lukewarm at best and downright abysmal at worst. The Server 10.5.3 update introduced something that causes ClamAV to crash/reboot a Server machine when mail is turned on (since ClamAV is on by default. Nice one. They've had other stellar examples of their extreme lack of QA for their Server software, such as updating their included PHP to a version that was known to break Squirrelmail (the default webmail that comes with OS X Server), even though a fix had been available for months from the PHP maintainers.

I'm a huge fan of FreeBSD. I have been doing this OS X Server thing for more than two years now. I went in to it with an open mind, hoping that Apple wouldn't screw things up too badly. I was disappointed. The only things I've learned is that their Server QA is awful, they don't actually use their own Server software internally, their customer service is horrible when it comes to their Server stuff and their Server documentation is awful. I could rant about that for several pages. All of this leads me to believe that Apple really doesn't want to do well in the "server" segment of the market...Which is really too bad, cause they've finally got the hardware side of it to the point where there's not much separating them from most other low-end server vendors.

Now, that I've got that all that off my chest, Apple's dropped the ball on the BIND update. This is not surprising. Anyone that's administered OS X Server for any length of time probably feels the same way. It's so bad that I will suppress my OS X experience next time I am in the job market again; I hope to never work with OS X (particularly as a server) again and will do everything in my power to avoid doing so. I'm batting a thousand on persuading people interested in using OS X Server to use anything else...Apple really has to get things together or get out of the "server" market.

Apple not alone in leaving DNS hole unpatched

[ericferris]

I have a DSL broadband subscription with AT&T (it used to be a small local company and they got bought by whatever is now called AT&T).

I noticed that their DNS was unpatched and I used their support forms to report the problem.

The reply came only a few hours later. To quote: "We regret we cannot help you with your WorldNet dialup problem".

Huh?

So their networking department is not patching critical protocol flaws, and they programmed their answerbots to laugh at us users if we attempt to point out said flaws. Since when does Simon the BOFH work for AT&T DSL support?

AT&T network admin? It's a great job if you can get it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Mac OS X ...Server?

[amsr]

I am curious about the performance of Samba/Netatalk on CentOS with a Storenext backend? Is it really better than Samba/AFP on OSX server? I always thought it was Stornext itself that just didn't work well with small files, not the OS providing NAS services that was the issue. Do you have any numbers?

Re:Apple + patches == ohnoes

[LizardKing]

Well, gotta admit the XServe hardware is pretty slick, at least.

No it isn't. On our sole Xserve (bought by my predecessor because he claimed "it's better for graphics" - essential for a headless server) there's no way to fit a second power supply, no Integrated Lights Out, no hardware RAID by default and mounting it on rack rails is a pain in the arse. Slick to look at, but shit to work with.

It's only a Windows problem...

[Carik]

...according to the tech support "engineers" at Apple. I spent about two hours on the phone with them Friday, trying to find out when or IF there would be a patch.

No one I talked to had ever heard of the problem.

Two people told me it was a Windows-only issue, and I shouldn't worry about it.

Neither of the two more helpful people I talked to had ever heard of bind.

One person put me on hold for just under five minutes, then told me he had made an "extensive search through Google" and wasn't able to find any information about a DNS vulnerability in Apple, so I must be mistaken.

One person had heard of bind, and told me that if there was a security problem, it would be fixed in the next security update. I asked when that would be released, and he told me "No one below Steve Jobs can tell you that -- it's proprietary information, and we don't release that sort of information."

So you can all relax -- it's not a problem that affects macs, and if it is, someone will fix it. Eventually. Maybe. But if we told you when it will be fixed, we'd have to sue you.

Very interesting story - if slightly belated.

[BuhDuh]

AN excerpt from my submission log:
2008-07-26 15:40:03 Apple Lags Patching DNS Poisoning Vulnerability (Apple,Security) (rejected)
Seems like I have to improve my karma (or something) to get noticed. Ah well, I'll continue reading, I just won't bother trying to submit.