Apple DNS Patch Lands

« Privacy for Thee, But Not for Me | Main | About That Apple DNS Patch ... »

August 1, 2008

Apple’s DNS patch comes straggling across the finish line:

“BIND

“CVE-ID: CVE-2008-1447

“Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4

“Impact: BIND is susceptible to DNS cache poisoning and may return forged information

“Description: The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue.”

(Link)

Resist the urge to decide the matter is settled:

“… on a very basic level, Apple got lucky. The flavors of BSD Unix have always had a good level of security, Unix itself is designed reasonably well from a security POV, and, up until Mac OS X 10.4, Mac OS X was not able to really handle high-end server roles. So, Apple’s default stance of ‘We’ll tell you what you need to know, when you need to know it, and you’ll like it’ wasn’t a big deal. But it wasn’t good. When you report a security issue, you want—no, you need—open communication. Getting told ‘We’re looking into it’ or ‘It’s already been reported’, or worse, ‘Apple takes security seriously, but we don’t comment about unreleased products’ is… well, frustrating is the best word that I can use in a family publication.

“A lot of people in my line of work had been predicting that, at some point, Apple’s attitude towards security, and the company’s opaque nature were going to eventually bite it in the keister—and hard. It was just a matter of when, but when it happened, it would put a severe hurt on the goodwill Mac OS X had created over the years.

“Welcome to ‘when.’”

(Link)

See also Paul Rubens at ServerWatch on Apple & the enterprise market in general.

Paul, by the way, has stepped in as the regular OS roundup columnist at ServerWatch. He’s replacing Brian Proffitt, who stepped in for me a few years back. The column used to be called “Enterprise Unix Roundup,” but I understand it’s going to broaden its coverage to deal with enterprise server OSs in general. Paul’s off to a roaring start:

“Here’s a great idea to put to your CIO: Why not run the company using a server operating system made by Mattel? It’s the company behind Barbie and Hot Wheels (not to mention Tumblin’ Monkeys), so it certainly knows a thing or two about toys. Maybe its designers have enough time to put together an enterprise OS.

“Yeah, right. The idea is plain ridiculous, but is it any more ridiculous than using Apple’s OS X Server or letting end users work on Macs in the enterprise?”

Old, like me? Tumblin’ Monkeys appears to be this generation’s Ker Plunk: