Apple Still Has Not Patched the DNS Hole 296
Steve Shockley notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."
Typical Apple Situation (Score:5, Funny)
Waiting for the port.
Re: (Score:3, Informative)
Stop waiting and patch your server you insensitive clod! [hmug.org]
Re: (Score:3, Informative)
If your server is configured as it should be, the exposure here should be pretty limited. AFAIK, issues with cache poisoning can be dramatically reduced in risk by limiting requests for recursion to hosts within your own network. In environments where the network is untrusted, of course, that's not sufficient, though it is still a good stop-gap to reduce your exposure.
options {
allow-recursion { a.b.c.d/xx };
};
Re:Typical Apple Situation ... No, they want to (Score:2, Funny)
be CORED???
Cobblered?
Clobbered?
Never been truer (Score:5, Funny)
There is always one bad Apple (tm) that spoils the whole bunch.
Lawyered up (Score:5, Funny)
Why patch when you can tell your lawyers to issue cease and desist letters to everybody - starting with that Kaminsky guy
t3h horror! (Score:5, Funny)
Are there any statistics on how many Macs are being utilized as DNS servers? Is it more than three? [runs away]
Re:t3h horror! (Score:5, Funny)
I would bet it's about as many as are being used as servers, which is not many.
Re:t3h horror! (Score:5, Funny)
I'm not sure. But what I do know is that the patch is going to require a hardware upgrade; Apple would have it no other way.
[runs and hides]
Re:t3h horror! (Score:5, Funny)
Re:t3h horror! (Score:5, Funny)
Either that, or a $20 charge for "new features"...
Come now, give Apple some credit. This isn't just some run-of-the-mill bug, this is a serious security issue that could cause their customers some serious harm if not fixed.
I'd expect $100 at least; or perhaps they'll introduce the innovative "iLease", with a "lease to own" path for the fixed bug where it's patched permanently on your server after only three years of monthly bug fix rental.
Re:t3h horror! (Score:5, Funny)
Re:t3h horror! (Score:4, Funny)
[runs, hides, and gets a new slashdot username]
Re:t3h horror! (Score:4, Funny)
Are there any statistics on how many Macs are being utilized as DNS servers?
My Mac mini is being used as a caching DNS server for my home network... but it's running djbdns.
Re: (Score:2)
Who are those three? I was about to ask, who uses Apple Macs for DNS?
Re: (Score:2)
Actually there's only one, but it's REALLLLY fast and REALLLLY big - and we LIKE it that way. :-P
You know, the Mothership Model.
http://www.ld8.org/servers/servers.html [ld8.org]
http://www.me.com/not_found/ [me.com]
Re:t3h horror! (Score:4, Insightful)
Anecdotal evidence is enough to prove that a least one OS X Server is used.
The patch is undocumented (Score:5, Funny)
Right on (Score:5, Insightful)
Re: (Score:3, Insightful)
Recapping our top story for those just joining us... there's a flaw in most common DNS esolving servers.
So it doesn't matter what desktop software you're running, it's what the machine that answers to the DNS server named in your IP config.
If you're using a Mac and your ISP is fixed, you're most likely fine. If your ISP isn't fixed, well, there's your problem.
Re: (Score:2)
That's not quite true. The flaw is in any system that asks a dns question. The attack is to answer that question first. Thus, a patch is needed for client systems too. Firewalls do nothing to prevent the attack, as the attack involves spoofing a legitimate and expected answer to a a question. You may note that MS had a patch for client systems a couple weeks ago... I saw the bind9-host package update in my ubuntu workstation. Even my router, DD-WRT, needed an upgrade.
The risk is minimized, however,
Re: (Score:3, Insightful)
Re:The patch is undocumented (Score:5, Informative)
Re: (Score:3, Informative)
Mac OS X ...Server? (Score:5, Funny)
Wait, what?
Re: (Score:2)
Mac OS X isn't my first choice for a server OS, I'd rather run FreeBSD straight without spiking it with Mach. But it's probably a better choice for small sites without much technical expertise.
I think a bigger issue may be Internet Sharing.
Re:Mac OS X ...Server? (Score:5, Informative)
Hmm ... I don't think I'd recommend a Mac OSX machine for a server, especially to a small site without technical expertise. When I tried this a couple of years ago, it took me the longest time to figure out why not only that machine, but also a lot of machines in the neighborhood, were so flakey.
One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server. If there's already a DNCP server anywhere on the local network, you now have two of them battling it out, and the symptoms aren't something I'd wish on anyone but a networking expert. Apple's CS people were supremely unhelpful, too. They just made it clear that my problem was that we were running non-Apple equipment on the network, and we would have to shut them off before they could diagnose the problem. Yeah, right. I shut the OSX box off instead, and then started learning what it took to explain why that fixed the other machines' problems. If you're a novice, you really don't need a rogue DHCP server on your network. When the other users figure out that it's on your machine, they will not be very friendly.
I've also experimented with an OSX web server. The main problem here is that OSX does funky things with file names, starting with their "caseless" feature. This works if everything was developed on OSX. But if you're running a web server, you're probably going to be including things from other machines in the vicinity. If they're not OSX, you'll go crazy trying to figure out what's going on with the file names. And you probably won't be able to fix it.
The conventional answer you get from the OSX folks is to run the HFS+ file system, which supports case. Well, I tried that. It turns out you have to reformat the disk for HFS+; you can't just flip a bit to turn HFS into HFS+. I did that, and reloaded from backup. Then a couple months later, we had some problems with the disk. I sent it off to Apple for diagnosis, and it came back apparently fixed. Actually, they had replaced it with a new disk, and they copied all our files over. It was formatted as HFS. Oooops! This happened a couple of times with other Macs, so it seems to be a systemic problem. Pointing out to them that you're using HFS+ has no effect.
And even with HFS+, there are some funky file naming problems that I don't understand. I saw a lot of cases where an rsync would produce strange file names on just the OSX system. Linux, Solaris, *BSD systems, and usually even Windows could rsync back and forth, and they'd end up with the same file names (though Windows would proceed to ignore case and get the wrong files at times). But on OSX, we'd see non-ASCII chars simply garbaged with no obvious pattern.
So unless you know that you'll never want to copy directories full of files from a non-OSX machine, I'd advise against using OSX as a serious server. It won't work, and Apple's people won't cooperate with diagnosing the problems. (And you'll just get insults if you mention it here on /. ;-). Save yourself the headaches and wasted weekends, and build a server with a real unix-type file system that accepts any bit patterns except '/' and NUL in file names without damaging them.
(And I have occasionally wished that I could use '/' and NUL in file names. I wonder if there's a system that allows all 256 8-bit bytes in a file name... ;-)
(And I wonder if there are linux systems that do "intelligent" things with file names. If so, should we also be warning people to avoid them as servers?)
Re:Mac OS X ...Server? (Score:5, Informative)
OK. I'll start from the beginning.
All the 'internet sharing' devices and operating systems (including Windows XP) will fire up a DHCP server on the LAN they're sharing to, that's what internet sharing is, a single device acting as a NAT/RIP gateway for several other machines. DHCP is quite a simple service (too simple if you ask me, given this particular problem), if you -sometimes- get IPs and other times do not, there's probably a contending DHCP server on your LAN that needs to be hunted down and killed. This is netwoking 101. You never plug the 'LAN' side of a NAT device into a LAN that already has a DHCP server, unless you're sure you know what you're doing.
Second, regarding the 'case issues'. There is a case sensitive option (that you -can- flip arbitrarily) in HFS+. There are -case issues- if you're doing some kinds of things (CVS checkouts of source directories with colliding names, etc.), but generally nothing that a little understanding wouldn't fix.
Why on -earth- you would use HFS at all instead of HFS+ is beyond me. That's trying to install Windows on a FAT16 disk. HFS+ has its strong and weak points, but HFS is a dead -dead- dinosaur.
It really sounds like your mac experiences were from the early 10.x days or even the Classic Times of Olde. I've admin'd several OS X (10.3 - 10.5) servers that do printing, file sharing, VPN, directory services, desktop management, web serving, and even Windows Domain Control, and I've never had a problem with anything you're talking about.
That being said, I do prefer Linux, but that's just because it's cheap and it runs on anything.
Re: (Score:2)
I've been through the HFS pain in another context. One of our web developers insists on using a mac. When we migrated one of his sites from a Dreamweaver built site to joomla he had all sorts of problems. The root cause is that the Dreamweaver template was in the Templates directory and joomla had the theme under its templates directory. The linux server has no problem seeing the two as different. However, his mac freaked out and was putting the joomla themes into the dreamweaver Templates folder. Onc
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Where the hell did you even find an HFS volume? That's like worrying about compatibility with FAT16.
It came on the disk inside my Mac Powerbook about 4.5 years ago.
(And it also came on the returned disk in the PB some months later. ;-)
Back then, Apple gave vague, unspecific warnings that some Mac apps wouldn't work right on a caseless file system. Dunno if they claim to have fixed it. The PB is still running (and I'm typing on it right now), but it's mostly relegated to "network appliance" status. It no
Re: (Score:2)
And note that my original comment was in response to a suggestion that a Mac would be a good network server for a small shop with little net expertise. Unless you have a lot more expertise than I do, I'd recommend against it. It might be OK for an expert Internet hacker, but it's not suitable for use by novices. You're expected to understand things like file-system formats, NAT, DHCP, etc.
If you don't know much about those topics then you shouldn't be running a server operating system in the first place. You should either hire someone who does know these things or you should just get a hardware network appliance where you don't need to know much about servers.
Honestly I have found that Mac OS X Server is a lot easier to administrate than most other server operating systems but it doesn't substitute for not having the proper level of sysadmin experience. Yes, there are some "gotchas" in run
Re: (Score:2)
Where the hell did you even find an HFS volume? That's like worrying about compatibility with FAT16.
You insensitive clod!
Imagine my Beowulf cluster (HFS disks) of those just off my edge network, running A/UX 3.x (you KNOW BSD is dying) just to confuse the door-knockers.
I know you're asking yourself.
Q: How many Libraries of Congress is that?
A. 42
Re: (Score:2)
When I tried this a couple of years ago, it took me the longest time to figure out why not only that machine, but also a lot of machines in the neighborhood, were so flakey.
One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server. If there's already a DNCP server anywhere on the local network, you now have two of them battling it out, and the symptoms aren't something I'd wish on anyone but a networking expert.
You mean the "Internet Sharing" feature that when you click the help icon it says this:
If your Internet connection and your local network use the same port (Ethernet, for example), investigate possible side effects before you turn on Internet sharing. In some cases (if you use a cable modem, for example) you might unintentionally affect the network settings of other ISP customers, and your ISP might terminate your service to prevent you from disrupting their network.
I don't know, I think that spells it out pretty clearly to me: don't start this feature on the same port that the rest of your LAN is running on. Then again I don't usually enable settings I don't know much about without first reading the documentation.
Oh, and Mac OS X drives come formatted with HFS+, what you are talking about is the case-sensitive formatting option for HFS+. The journaled and case-sensitive HFS+ is ca
Re: (Score:2)
I've been wanting a macbook for a while now, but what you just said there suddenly makes me feel less inclined to get one. I'll stick with my plans to get something from System76.
Re: (Score:2)
One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server.
So does ICS in windows, what's your point? You don't know what you're doing?
The caseless filesystem certainly causes headaches, we had to rename some files in Maia Mailguard due to name clashes that only show up on OSX, and yes we do have one person using it. I guess the other osx server gets lots of spam.
The rsync issues are well known in the mac community, and there are some patched versions available. As with open source, utilize the communities, not Apple support. You may find it's not that bad.
Hav
Re: (Score:2, Informative)
Re:Mac OS X ...Server? (Score:4, Informative)
Mac OS X Server is way more than that. It remotely manages and provides services to potentially thousands of concurrent Macs OS X clients and/or effectively manages Apple's XRAID/XSAN storage subsystems. Apple can't walk into an organization and sell them five hundred Macs and very well expect them to use Windows 2008 or Sun servers now can they? Remote software updates, asset tracking, screen-control, web-mail, anti-spam, everything... http://www.apple.com/server/macosx/
Re:Mac OS X ...Server? (Score:5, Funny)
Re: (Score:3, Funny)
Apple can't walk into an organization and sell them five hundred Macs ...
We'll cross that bridge when we come to it.
Re: (Score:2)
Erm, the Xserve RAID was discontinues earlier this year and XSAN is a seperate product (and just a rebadge of a Quantum offering) so it hardly counts toward what Mac OS X Server is. :)
Re:Mac OS X ...Server? (Score:5, Informative)
Apple needs to get their shit together. Unless your needs are VERY straightforward, even 10.5 does not solve them. I'll admit that 10.5 has a much nicer server admin GUI, but it does not overcome the problems with the platform.
We've moved all of these services to CentOS machines. By contrast, getting them working reliably was a walk in the park. Equivalent hardware (hotswap RAID (SCSI, I should add), redundant PSU, fiber channel card, GigE, dual processor machines in a 3U form factor (SuperMicro chassis) come out to about $1k less than an Xserve, on average. And when a part dies, like a backplane, I can BUY THAT PART. With Apple, you have to buy an entire parts kit, which comes with stuff you may not want.
We now run Samba and Netatalk on CentOS on generic server hardware, connected to our StorNext network. There may be better SAN stuff out there than StorNext (in fact, their licensing department leaves much to be desired-- do they even know how to use their own product?), but we already had a lot invested (three Xserve RAID cabinets). Things run great now, and with the Linux version of BRU, our full tape backup [inexplicably] finishes 9 hours earlier (used to take 60 hours, now takes 51).
My advice: Apple makes some nice desktops, but their server stuff is only for novices. I went into the experience very optimistic about Apple's stuff, but now I have a very bitter taste in my mouth.
Re: (Score:2, Interesting)
I am curious about the performance of Samba/Netatalk on CentOS with a Storenext backend? Is it really better than Samba/AFP on OSX server? I always thought it was Stornext itself that just didn't work well with small files, not the OS providing NAS services that was the issue. Do you have any numbers?
Re:Mac OS X ...Server? (Score:5, Informative)
AD-binding is not straightforward. Apple really wants you to run an OpenDirectory, as this allows you to both manage Apple desktops and do single-sign on. If you just want to allow AD authentication on your MacOS X servers, good luck. You're in for a bugfest, with partially-working GUIs and many, many quirks.
Of course with Mac OS X Server 10.5 you can use augmented accounts and run that OD if you desperately think you need to. Depends what services you're trying to run whether you need to or not, some services just need more directory information than AD can provide.
#1 quirk being: you can't do cross-domain authentication, even if those domains are trusted. This was a showstopper for us.
Yes you can. That's what the pretty little checkbox labelled "Allow authentication from any domain in the forest" does. Nifty eh?
There is only ONE backup application for Xsan that is both a) reliable, and b) has a reasonable support contract. We tried Retrospect (total POS), Veritas (ridiculous wait times for support), and finally, BRU. BRU has a decent product, but the number of MacOS bugs that plague this application make it unreliable and frustrating to use. OSS applications don't handle the numerous HFS+ corner cases. Rsync, which we used for snapshots, routinely hemorrhaged itself on files with extended attributes, despite the fact that this was APPLE'S OWN VERSION.
There are other backup applications available, I'm not going to go into them now. Rsync can be made to work fine with Mac OS X, depends on your needs of course. Are you trying to backup HFS+ or Xsan? Or can't you make up your mind where your data is?
If you're backup up Xsan then HFS+ corner cases are pretty much irrelevent given...
Ever try running a shared AFP/SMB volume on an Xsan? You can't. Surprise, surprise: Xsan is not HFS+ formatted. It uses CVFS, which is a Quantum/ADIC filesystem. Why? Because Xsan is simply a rebadged version of StorNext! So your AFP daemon will spew Mac metadata everywhere which your SMB daemon will not honor, thus totally corrupting your data. Fuck you, Apple. Seriously.
That's right, it's not HFS+. Uhm, duh? A cluster file system needs to be, well, a cluster file system. Fortunately for you you've just discovered that this creates the magic of a "._" file (AppleDouble extra data).
Now I've got currently running an Xsan cluster that seems to serve out the same data via AFP and SMB and I haven't had any data eaten. Ever consider that maybe you're doing something wrong?
You can't modify MacOS X Server files on the command line. Oh, well, you could on 10.4 server; then lock the file and hope you never had to use the GUI again. But on 10.5, even that does not work-- it still overwrites your file; smb.conf is a perfect example. I figured, OK, maybe I should set the immutable flag, but then I started thinking... WHY am I using Apple products again?
Right, smb.conf. Maybe you could just read the file and look for the big comment noting:
; Site-specific parameters can be added below this comment.
Maybe you could add your customisations below there like you're told to and be amazed that they don't get overwritten. Reading the documentation, that'd be a novel idea.
Apple's enterprise support blows. Sometimes you get an answer, but no matter what, expect a long wait while people on the other end decide whether they want to bother answering your question or not.
I've had great enterprise support including contact with engineering teams to fix specific issues I've had. Maybe you should be nice to your reps instead of abusing them in public forums.
Want to follow-up on a bug that someone else reported? Good luck. Their bug reporter is terrible. Would it be so hard to run Bugzilla?
Because I know that I want all my confidential data supplied to Apple so they can fix an issue to be public. This just isn't reasonable for any large company. Nor does it make much sense.
If you're having a bug yourse
Re: (Score:2)
I rather have a Mac OS X Server than Linux for many things. I have better things to do that learn how to setup a server.
Re: (Score:2)
Re: (Score:2)
Actually, I plan to get a copy of Snow Leopard server and some basic BSD or Linux, and play around with them both on a Mac mini (via external drives -- gotta love EFI). I agree for that for serious web hosting, OS X server requires a lot of mucking about, like any Linux install would, but I also want to use OS X Server so that I can use the more Mac friendly features of it for other uses (such as a small all-Mac office etc), rather than just as a traditional web and mail server.
I was hoping that OS X server
Re: (Score:2, Informative)
Here here, I was administrator of a small network running on OS X server and it was pretty robust. Far easier to set up than the yellow dog Linux they started with and I never got calls on weekends to fix things. Every Linux server I've tried to set up including Red Hat Enterprise Linux 5 required special bits of certain parts of what the heck was that library name again, and then it still didn't work, switch to another distro, same problem different piece. Got tired of switching distros threw out the PC
Re: (Score:2)
I find that hard to believe. Linux is pretty obscenely easy to set up and administer these days for most conditions, and RedHat has been there for a long time - but then, I cut my teeth doing things with samba long before they were supported.
Re: (Score:2)
Re: (Score:2)
Re:Mac OS X ...Server? (Score:5, Insightful)
its 500 dollars for a unlimited license,
Uhhh? unlimited license? For $500, Apple gives you a 10-client license [apple.com]?
and does a hell of a lot more than throw a few OSS solutions into the box.
OSS solutions:
* Scale up onto hardware Apple can only dream about (talk to Sun or IBM for more info)
* Fit into your existing vmware infrastructure.
* Don't impose bullshit per-client licensing restrictions.
* Don't leave you with a coating of vendor lock-in slime.
Sure, if you're a complete Apple shop (hah!), then OS X server is probably a good fit for you, but in the real world, its mixed clients (or at least looking in that direction).
If your going to comment it helps if you have half a clue what your talking about.
Well - at least we agree on this....
OS X Server not for critical infrastructure (Score:4, Insightful)
This sort of thing is why nobody should be using OS X Server for critical infrastructure. OS X Server is for schools and such that use Macs for everything else, so an Apple server is a natural fit.
It seems like Apple is always dragging their feet on security updates, and that alone should cause a major aversion on the part of anybody thinking of deploying their server software into production.
Comment removed (Score:5, Funny)
Re:OS X Server not for critical infrastructure (Score:4, Interesting)
OS X Server is for schools and such that use Macs for everything else, so an Apple server is a natural fit.
As a hacker, I welcome the concept of hooking up one giant monoculture. Chances are if you misconfigure X or fail to patch Y on my entry point, I've got the same back door all over your whole network.
As a security consultant... who am I kidding, I rape the network and give you a stack of paper saying you should have relied on Unix-like/Windows/Apple boxes by purpose, citing specific software supported on each (i.e. Apache vs. IIS, php, MySQL vs MS SQL Server); and point out that making one big singly-deployed network only makes my job easier, especially when your administrators are more used to purpose X on platform Y.
I guess Microsoft have found the focus of their.. (Score:3, Funny)
Hey, I just wrote about this (Score:2, Informative)
The only statements we have been able to get out of apple has been from the bug reporting tool. They have stated that they are working on a fix, but it is causing problems in some instances of their deployments, but don't see it as an emergency because there isn't a targeted exploit against their user base.
They do not need to understand that this is a protocol specific issue, not a code specific issue.
They do not SEEM to understand even. (Score:2)
need to lay off the coffee right now.
Re: (Score:2)
They do not need to understand that this is a protocol specific issue, not a code specific issue.
How long did it take Microsoft to patch the WMF hole? Again, same sort of situation... the protocol/format itself is working as intended... it just can easily be abused.
I can see a fair amount of lack of concern from Apple... this affects DNS caches... rarely are these running on a Mac OSX machine...
Re:Hey, I just wrote about this (Score:5, Insightful)
this is related to Apple's OS X Server product, which runs DNS (bind in fact), and many mac businesses do in fact use it, if even as a local DNS cache (which a simple fix now would be to configure their boxes to us opendns).
The bigger issue is this is a pretty big deal on the security front, all of the businesses that apple has to compete with in the server space (especially in the eyes of enterprise IT), have had a fix and a public statement about it out the door. Apple is the big unix vendor missing off the list, and has not even made a public statement as such to inform it's users about the issue. Not exactly the best way to talk about how secure their products are (client and server).
Of course, they still haven't gotten around to fixing the ARDAgent.app vulnerability from a few weeks back either.
Re: (Score:2)
10.4 server made it really easy to provide recursion to the entire internet.
Also, to get your cache poisoned, all you need is an employee to visit a nice page full of LOLCats on a malicious server that will keep feeding them dns requests in the background.
Re:Hey, I just wrote about this (Score:5, Insightful)
There are many ways to get to a "protected" caching resolver. Users on the trusted network browse the web, send email, IM, etc.; all of those require DNS lookups, and many can be subverted to cause lookups of arbitrary names.
In any case, trying to excuse Apple by saying "not too many are affected" is crap. They shipped software that is now known to have security issues and it should be addressed. They've known there is a problem for almost 3 months and still have not done anything to protect their customers. If this was Microsoft, Sun, Red Hat, etc., people would be ranting about it, but since it is Apple, it must be okay.
Re: (Score:2)
people would be ranting about it, but since it is Apple, it must be okay.
It's ok that it's Apple, because so few people use their products.
*ducks*
Re:Hey, I just wrote about this (Score:4, Informative)
But recall... this vulnerability is only available to someone who has access to the caching server in the first place...
No!
This attack is simply a flood of false answers to a dns query made by either a client or caching server. They *look* like legit answers that beat the actual answer back. Because the legit answer has to be able to get back to the server, the spoofed ones are able to get there too.
The clients are only vulnerable within their own firewalled network; but a resolving server, even behind a firewall, is vulnerable to the Internet at large.
Re:Hey, I just wrote about this (Score:4, Insightful)
No targeted exploit indeed. Of course I suspect they pay some actual professionals to manage their DNS, and that these professionals use a proper server OS and have patched the DNS hole. But still, a script in the wild that affectes the security of their servers certainly exists, on a very popular vulnerability assessment tool no less, and should be cause for concern on their part. The fact that it apparently isn't just shows how seriously they take their server business.
Re: (Score:2)
The fact that it apparently isn't just shows how seriously they take their server business.
Which is a shame, because they do tend to make some good stuff, and when you want to build something to help manage and work with a group of macs, a mac server can make things a lot easier.
Of course, this is a company that didn't test their AD binding under 10.5 in anything larger than a single AD server installation (because why would apple have a multiple window servers to configure as a real AD deployment when thei
3rd pty app for mouse accel adjust? (Score:2)
Is the keyboard and mouse preferences panel in the system preferences not enough?
Steve Jobs? (Score:5, Insightful)
Maybe because he is sick/out of work is why they can't patch it (They fear their boss might yell at them for patching it without his consent...)
OR They are so stubborn that they believe there is and never will be anything wrong with a Mac.
OR They are still testing the patch (highly unlikely since it has little interference with how the server functions...)
Sure, they can get away with a whole lot of stuff since they aren't a monopoly like MS, but, this is just wrong.
Re: (Score:2)
Or, they're waiting to fix it in the next version, which you will have to pay for, but will have fuzzy little pink rabbits that come with it, free.
Automated Email Reply (Score:5, Funny)
Dear valued Apple customer:
We received your message regarding "unpatched Mac OS X Server security hole". We appreciate your business, and we will do everything to address your concerns as soon as possible. Unfortunately, Steve is away from his desk on leave due to health concerns related to his non-lethal pancreatic cancer. He will be happy to fix the problem with "unpatched Mac OS X Server security hole" as soon as he returns to work.
Sincerely,
Apple Customer Service
Apple + patches == ohnoes (Score:5, Interesting)
As someone that's cursed to administer an OS X Server machine, I have nothing good to say about Apple in general and OS X Server in particular. Apple's history of patching---or, in this case, not patching---stuff has been lukewarm at best and downright abysmal at worst. The Server 10.5.3 update introduced something that causes ClamAV to crash/reboot a Server machine when mail is turned on (since ClamAV is on by default. Nice one. They've had other stellar examples of their extreme lack of QA for their Server software, such as updating their included PHP to a version that was known to break Squirrelmail (the default webmail that comes with OS X Server), even though a fix had been available for months from the PHP maintainers.
I'm a huge fan of FreeBSD. I have been doing this OS X Server thing for more than two years now. I went in to it with an open mind, hoping that Apple wouldn't screw things up too badly. I was disappointed. The only things I've learned is that their Server QA is awful, they don't actually use their own Server software internally, their customer service is horrible when it comes to their Server stuff and their Server documentation is awful. I could rant about that for several pages. All of this leads me to believe that Apple really doesn't want to do well in the "server" segment of the market...Which is really too bad, cause they've finally got the hardware side of it to the point where there's not much separating them from most other low-end server vendors.
Now, that I've got that all that off my chest, Apple's dropped the ball on the BIND update. This is not surprising. Anyone that's administered OS X Server for any length of time probably feels the same way. It's so bad that I will suppress my OS X experience next time I am in the job market again; I hope to never work with OS X (particularly as a server) again and will do everything in my power to avoid doing so. I'm batting a thousand on persuading people interested in using OS X Server to use anything else...Apple really has to get things together or get out of the "server" market.
Re: (Score:3, Insightful)
I understand your pain. On the plus side, if you are a python / ruby developer, you have some things to look forward too, as a lot of apple's own components are being written in them, so those installs actually work most of the time. The perl one, not so much.
Of course, the biggest limitation to their serious server implementation is that there is not apple provided forum for users to be able to discuss their issues with beta release software. Let alone a publicly searchable bug tracker (right now we search
Re: (Score:2)
Its really not all that hard to understand what their Server market is... "Servers for the rest of us." OS X Server is to the server market what their desktop is to the desktop market: a kinder, gentler server for those that don't really know everything they're doing. Someone who does know, perhaps like yourself, that is happy without a pretty GUI and easy to use tools shouldn't bother. Stick with CLI and FreeBSD or Linux or AIX or Solaris. Apple is targeting someone else and apparently you are just collate
Re: (Score:2)
Well, gotta admit the XServe hardware is pretty slick, at least. But style doesn't really count for much when the hardware is hidden in some cage somewhere. But it surely runs FreeBSD just fine. Also, if you like vmware and virtual servers, check out the free ESX (in another /. summary). Maybe your boss won't notice the difference... ESX sounds a lot like OS X (when pronounced wrong... which is usually).
Re:Apple + patches == ohnoes (Score:4, Interesting)
Well, gotta admit the XServe hardware is pretty slick, at least.
No it isn't. On our sole Xserve (bought by my predecessor because he claimed "it's better for graphics" - essential for a headless server) there's no way to fit a second power supply, no Integrated Lights Out, no hardware RAID by default and mounting it on rack rails is a pain in the arse. Slick to look at, but shit to work with.
Re: (Score:2)
I'll second that, and add that their AD integration is absolutely horrifying.
I think they know they can't compete in the server market. Their hardware is too expensive, their software isn't free (and doesn't work better than the free alternative). There's no compelling reason to choose them over Dell unless you happen to have a staff of Apple admins that can't transfer their skill sets over to linux.
I don't want to call the product shit, but I don't know how to finish this sentence.
Apple not alone in leaving DNS hole unpatched (Score:5, Interesting)
I have a DSL broadband subscription with AT&T (it used to be a small local company and they got bought by whatever is now called AT&T).
I noticed that their DNS was unpatched and I used their support forms to report the problem.
The reply came only a few hours later. To quote: "We regret we cannot help you with your WorldNet dialup problem".
Huh?
So their networking department is not patching critical protocol flaws, and they programmed their answerbots to laugh at us users if we attempt to point out said flaws. Since when does Simon the BOFH work for AT&T DSL support?
AT&T network admin? It's a great job if you can get it.
Re: (Score:3, Informative)
Same here...I am on AT&T DSL service and the DNS servers are unpatched, and they haven't released patches for their 2wire DSL modems which do DNS proxying (hopefully not caching). I've switch my machines to OpenDNS, but I don't know how an ISP the size of AT&T is not taking this seriously.
Re: (Score:2)
I don't know how an ISP the size of AT&T is not taking this seriously.
"We're the phone company. We don't care. We don't have to."
(Two points for getting the reference. ;-)
Re: (Score:2)
Given the issues this caused with vista... (Score:5, Informative)
Given the issues [theregister.co.uk] this patch caused with vista, i'm not at all surprised they're putting more thorough testing through on this.
Apple does not want to lose it's "just works" reputation my slaughtering internet connections on its platforms.
Re: (Score:2)
Apple? Doing thorough testing? You must live in some kind of alternate universe where Apple products don't break with every update...
- Frustrated user of Apple server products.
Re: (Score:3, Informative)
The problem really hasn't been that we are chiding Apple for(we being the OS X Server admins who support these boxes)most of us have gone and compiled our own versions of bind without issue, or being forwarding all recursion to opendns's servers, etc. (And custom installed BIND versions appear to be working fine in the server so far for most people).
It has been the total lack of response or public acknowledgement of the problem, no timeline for a fix, no patch and or updated knowledge base article on how to
Re:Given the issues this caused with vista... (Score:4, Informative)
Issues? What issues? I'm not having any issues with my Vista. Oh, you must be talking about the issue with ZoneAlarm... But that's easy: no ZoneAlarm, no issues.
It's only a Windows problem... (Score:4, Interesting)
...according to the tech support "engineers" at Apple. I spent about two hours on the phone with them Friday, trying to find out when or IF there would be a patch.
No one I talked to had ever heard of the problem.
Two people told me it was a Windows-only issue, and I shouldn't worry about it.
Neither of the two more helpful people I talked to had ever heard of bind.
One person put me on hold for just under five minutes, then told me he had made an "extensive search through Google" and wasn't able to find any information about a DNS vulnerability in Apple, so I must be mistaken.
One person had heard of bind, and told me that if there was a security problem, it would be fixed in the next security update. I asked when that would be released, and he told me "No one below Steve Jobs can tell you that -- it's proprietary information, and we don't release that sort of information."
So you can all relax -- it's not a problem that affects macs, and if it is, someone will fix it. Eventually. Maybe. But if we told you when it will be fixed, we'd have to sue you.
Re:in case you didnt get the memo (Score:5, Insightful)
What are you smoking? Apple has always been evil. Extremely litigious and questionable methods.
Re: (Score:3, Informative)
Re: (Score:2, Funny)
Re:Slashdot and Apple Schizophrenia (Score:4, Interesting)
If all you had to do was keep a constant opinion, what would be the freagin point of posting at all? Bunch of zombies that all say the same thing, oh yeah, very constructive (though its ALMOST what it is anyhow).
Whats important is how constructive what you say is and if it adds value to the discussion (and yes, being funny does add value).
The system is broken, but not as much as one would think... Most the moderations I get on pro-Windows post get modded up (and those that get modded down, half of the time its because I was not constructive and only ranting), on such an anti-MS web site... so its not completly hopeless.
Re:Apple meet real world (Score:5, Interesting)
Re: (Score:2)
I had trouble with the Leopard X server, but being that the OS was new (10.5.2 at the time) I went around IRC asking and found that others were downgrading their x servers to a more stable previous version (of xquartz & X11). So that's what I did. Still buggy, but crashes occur far less often.
FYI When stability is critical with Mac OS, gotta stay with the 10.x.9,10,11 and wait for the 10.x.3 to grow up to those numbers before upgrading. If machines came preinstalled, gotta bite the bullet and go back an
Re: (Score:2)
apple was never secure. It was just unused.
Au contraire - classic Mac OS was vastly more secure than most Linux distributions at the time, at least from external attacks. Classic Mac OS was never secure from local users with physical access to the box, and of course there have been security holes here and there. However, when RedHat was shipping with dozens of ports open and who knows what daemons listening on them, Mac OS had zero ports open, out of the box. Large web sites like www.army.mil running on Mac OS were certainly the exception rather
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
PSP was hacked very early. Sod all sales, definitely fewer than Macs.
iPhone was hacked very early. They have fewer users than the Macs.
GP32 (gamepark - a handheld game console) was hacked. Hasn't sold anywhere near what Macs have.
Xbox (original) was hacked very quickly, as was playstation, and even gamecube, and even sega dreamcast.
People will hack anything, just to say they did. Kids brought up on Macs at schools who don't have stupid anti-apple biases will try to hack their school computers. Or maybe even
Re:Is it really so hard? (Score:5, Insightful)
Personally, the brazen "stomp everywhere and expect the world to bow to their whims" attitude reminded me of Microsoft in the mid 90s.
Now, complacency with regards to security confirms it: Apple are following Microsoft's path 15 years after them.
It's just a matter of time until geeks wake up and start hating them. Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie. Everyone wanted to be Bill Gates back then, he was the noble knight/geek taking on the world and bringing down empires like IBM and DEC with his accessible to all consumer computers. It was only after Linux came on the scene that geeks turned on him like the fickle fashionistas that they claim they aren't.
Face it, Apple, like Microsoft before the, are just the flavor of the month.
Re:Is it really so hard? (Score:5, Insightful)
Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.
Fail. I was a vocal opponent of Windows 3.1, calling it the abomination it was. Also, you seem to think there are no geeks hating on Apple now. I'm not sure what blogs/newsgroups/boards you read, but if you can't find plenty of anti-Mac/Apple hate, you must have some pretty good filters.
Re: (Score:2, Insightful)
but if you can't find plenty of anti-Mac/Apple hate, you must have some pretty good filters.
I find plenty of Apple/Mac hate all the time. The problem with the majority of it is that rather than actually disliking the company or the platform for a logical reason, the justification for said hate usually revolves around the assumed sexual preference of said platform's users.
The point being that most* Apple hate I encounter is based off of sheer ignorance, and not raw technical comparison.
*Generally speaking. Slashdot is a notable exception.
Re: (Score:3, Informative)
This is something you can change in the system. If you have the OS X developer tools installed, just run /Developer/Applications/Utilities/CrashReporterPrefs.app, and change the setting from "Basic Mode" to "Developer Mode".
Alternately, you can always look up the reason for t
Re: (Score:2)
It's just a matter of time until geeks wake up and start hating them. Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie. Everyone wanted to be Bill Gates back then, he was the noble knight/geek taking on the world and bringing down empires like IBM and DEC with his accessible to all consumer computers. It was only after Linux came on the scene that geeks turned on him like the fickle fashionistas that they claim they aren't.
I don't know where you get off speaking for me or anyone else. I started off completely neutral on them when I got my first computer in 1991, but considering it was a Mac, it was perhaps inevitable.
My first foray into programming was MacBASIC, on a Mac Plus at school. It was friendly to new programmers, not only breaking on the line causing the error and giving the error type, but also what specifically the error was--much like Firefox does today with Javascript errors. IIRC it even went as far as to sugges