Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Apple

Apple Patches Kaminsky DNS Vulnerability 89

Posted by kdawson from the cache-me-if-you-can dept.
Alexander Burke writes "Apple has just released Security Update 2008-005, which patches BIND against the Kaminsky DNS poisoning issue. 'This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1.' It also closes the script-based local privilege escalation vulnerabilities, the most common examples of which were ARDAgent and SecurityAgent, and addresses other less-publicized security issues as well." A few days back we noted Apple's tardiness in fixing their corner of this Net-wide issue.
This discussion has been archived. No new comments can be posted.

Apple Patches Kaminsky DNS Vulnerability More

Apple Patches Kaminsky DNS Vulnerability

Comments Filter:

  • The clients still vulnerable ?? (Score:3, Informative)

    by Anonymous Coward on Friday August 01, 2008 @08:58AM (#24431623)

    ISC seems to think so : http://isc.sans.org/diary.html?storyid=4810

    Anybody care to test it for real using both an apple server and laptop, using dnsoarc, to get some real info?

  • leopard and syslogd (Score:5, Informative)

    by Speare ( 84249 ) on Friday August 01, 2008 @09:25AM (#24432105) Homepage Journal

    Now if only they'd fix the 100% CPU syslogd problem that's been around since Leopard's release. leopard syslogd [google.com] I don't use TimeMachine at all, so most people's theories implicating TM is probably not accurate. I'll leave the MBP on overnight and when I wake up the CPU heat is way above normal because syslogd crapped itself again. (The fan speed vs CPU heat function is also pretty sucky.) Some video glitches even start appearing when the CPU heat stays high for a while. I'm going to just kill it hourly by cron, but Apple should also get its butt in gear and just fix it.

  • Re:The clients still vulnerable ?? (Score:5, Informative)

    by BuhDuh ( 1102769 ) on Friday August 01, 2008 @09:36AM (#24432291)

    Anybody care to test it for real using both an apple server and laptop, using dnsoarc, to get some real info?

    Done! See Swa Frantzen's update at the isc [sans.org] Seems like they may have patched the server code, but the client is still using sequentially incrementing ports.

  • Re:leopard and syslogd (Score:4, Informative)

    by Anonymous Coward on Friday August 01, 2008 @10:02AM (#24432769)

    Fix the syslogd problem:

    launchctl stop com.apple.syslogd

    rm -rf /var/log/asl.db

    launchctl start com.apple.syslogd

  • Re:They might have been slow... (Score:3, Informative)

    by 4D6963 ( 933028 ) on Friday August 01, 2008 @10:19AM (#24433115)

    No 10.3 version? Cry me a river. Are you going to complain about the lack of Windows 98 version as well?

    Whooosh? [slashdot.org]

  • "not enabled by default" (Score:2, Informative)

    by Anonymous Coward on Friday August 01, 2008 @10:22AM (#24433199)

    The release notes for this patch say Bind "is not enabled by default". Why is everyone leaving out that detail when most of us do not run servers.

  • Re:Good job apple (Score:5, Informative)

    by MacColossus ( 932054 ) on Friday August 01, 2008 @10:23AM (#24433235) Journal
    Quicktime streaming server, podcast producer, Fortune 500 companies with Macs needing a decent AFP stack and Workgroup Manager to control client side privileges on Mac workstations. Another reason might be a desire not to be financially sodomized by Microsoft on CAL's but the admin has a fear of Linux due to inexperience. (Not every GUI junkie has seen Webmin, KDE, Ubuntu desktop and such). A couple of good Mac Server/Administration sites are www.afp548.com and www.macenterprise.org. Hope this has been educational.

  • Re:They might have been slow... (Score:2, Informative)

    by Anonymous Coward on Friday August 01, 2008 @10:51AM (#24433771)

    ...and the BIND patch wasn't available from their upstream source until June based on the dates I see. Slow turn around on Apples part given June availability but it looks like it was in the queue behind a few other security fixes that are actually of more importance to your average Mac OS X user (very few run named and few still in a configuration that would be vulnerable).

    Note folks running named could have updated BIND on their own (installed an alternate version until Apple release this software update).

  • DNS exploit affects OSX 10.x and up (Score:2, Informative)

    by Anonymous Coward on Friday August 01, 2008 @12:06PM (#24435097)

    http://www.juniper.net/security/auto/vulnerabilities/vuln30131.html [juniper.net]

    That's a whopping list of vulnerable stuff there.
    I wonder if Apple took a survey, of who was still using older versions.
    I have read probably over 40% of internet users don't use updated browsers. http://blogs.stopbadware.org/articles/2008/07/01/forty-percent-of-users-use-insecure-web-browser [stopbadware.org]
    If that many users can't update browsers, how many can update their OS? Especially since browsers (and updates) are mostly free, you'd think they'd be more likely to be updated!

  • Re:They might have been slow... (Score:3, Informative)

    by Phroggy ( 441 ) <slashdot3@@@phroggy...com> on Saturday August 02, 2008 @02:13AM (#24445355) Homepage

    (very few run named and few still in a configuration that would be vulnerable).

    Most Mac OS X client users do not run named, but they do use the system's stub resolver, which I believe is linked to BIND and does not randomize source ports when querying your local DNS server. This means someone could spoof replies from your DNS server in response to queries coming from your Mac. This is MUCH less of a problem than a vulnerable DNS server, because it requires a very localized attack, but it's still an issue.

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close