back to article Apple skewered over missing DNS patch

Apple has come under fire for failing to patch the critical Domain Name System (DNS) flaw which prompted a (rest of) industry wide response earlier this month. For anyone just back from a trip up the Amazon, the discovery of a domain spoofing vulnerability by security researcher Dan Kaminsky sparked a massive patching effort …

COMMENTS

This topic is closed for new posts.
  1. The Veiled Prawn

    Typical

    It's like Byker Grove when Jeff died.

  2. Anonymous Coward
    Anonymous Coward

    Suprise

    Breaking: Large company fails to give a shit about customers.

    In other news, the sky is still blue.

  3. Thomas

    "It's like Byker Grove when Jeff died."

    Nah, it's like Grange Hill when magically one summer the entire school and its crop of southern, Londony students woke up to discover that they now lived in Liverpool and all the new first year kids were scousers.

  4. Anonymous Coward
    Flame

    Scrumping for Apples

    I think there will soon be a new term in the IT world.

    Scrumping - to attack a network of computers to locate the Apples which haven't been patched.

    What is it with Apple and this blind ignoring of security issues? (I am especially thinking of Safari here as well as this DNS issue)

    Some of the news items lately find Apple acting as if security is someone else's problem. Soon this will bite them in the arse as the Black Hat crowd target them more and more.

    The joke of this DNS fix is Apple just need to add the patch that someone else has already written for them!!

  5. Anthony Hulse

    Not really a surprise

    Although I'm quite happy with my Mac "end-user" computers I can't understand why people bother with the server variant of OSX. Just put FreeBSD or Linux onto bog standard hardware and have done with it. It's not like you get a significant commercial software advantage over *nix like you do with a normal Mac, and as incidents like this prove, you're doing yourself and your users a disservice by depending on Apple to fix issues long after the OSS community have issued patches for other *nix variants.

  6. Anonymous Coward
    Boffin

    Who uses Macs as caching nameservers anyway

    Does anyone actually use an OS X machine as a caching nameserver anyway? This sounds like a completely irrelevant attack at Apple - I'm sure there are thousands more products (DSL routers etc) for which there's *much* more real world need for patches than for OS X.

  7. Anonymous Coward
    Pirate

    I hope there's a VMS patch for it by now...

    Having used OSX Server I suspect there's more old Vaxen running DNS services than OSX Server boxes.

    I love OSX as a desktop OS, but Server... ouch.

  8. frymaster

    To be fair...

    ...the reason everyone else got a patch out in such short time is everyone got advance notice (hence why it came out on patch Tuesday)

    Do we know if apple also got advance warning? If not, fair enough. If so (and I suspect they did get warning) that's even worse!

    still, holding off judgement until I know for sure

  9. Anonymous Coward
    Anonymous Coward

    Err...

    Mac OS-X is BSD, Apple don't actually write the majority of the server components, all they have to do is wait for a patch to be written by the nice people at Berkley, compile it and package it. How does that even begin to take more than two weeks for such an important vuln? If this were MS, we wouldn't hear the end of it, and they have to actually write their own software.

  10. RW
    Coat

    Omphaloskepsis?

    It's pretty clear that Apple (the corp) actually believes what their fanbois believe, viz. Macs are Totally Wonderful, Defect Free, and Utterly Secure . You'd think that the powers that be at Apple would be privy to all the dirty secrets about deficiencies in their systems, but it seems like they've fallen for their own publicists' lies, misstatements, distortions, and obfuscations as well as the adulation of their users.

    It's been known for years that Macs weren't targeted by the malware crowd because there weren't enough of them to make it worthwhile. But that is NOT security; that's just dumb luck. With the transition to OS X, plus Microsoft's pratfall called "Vista", suddenly the uptake of Macs is a lot greater, and guess what? Now Macs _are_ worthy targets for malware.

    Surely Apple management is fully aware that they had a house of cards on their hands? Yes, being based on Unix, OS X has a lot of inherent security lacking in Windows, but modern OSes are so complex that it's impossible to render them watertight.

    The gradual revelation that OS X, Safari, etc have security holes just like all other systems merely frosts the cake.

  11. Tom Chiverton

    increase in single packet DNS version queries

    "increase in single packet DNS version queries" ? Bwuh ? Am I the only one with options {

    version "10";

    }

    in my named.conf ?

  12. Thomas

    @Fraser

    You know, Microsoft don't _have_ to write their own software quite as much as they do, they just seem to suffer from an excess of corporate pride.

    But at least they can deliver security patches.

  13. Disco-Legend-Zeke
    Paris Hilton

    But... I thought OS-X was UNIX?

    it should just be a matter of putting a wrapper around it.

    Paris because tonight is her party.

  14. heystoopid
    Happy

    Or

    Or in the Apple add a new line of PC talking to a MAC " welkome to the real world buddy , where fools and fan boys are taken for a ride and their wallets emptied too !"

  15. Mick F

    Head in sand users

    I posted on a fan-boy site about the possibility of attacking machines (regardless of OS) by IP as reported here - the replies were, as you expect, if we can't see you - you can't see me!

    I love my mac's but hate the fanboys and the attitudes.

  16. Ted
    Happy

    When will Hackers Learn?

    This is purely a non-critical issue, it's just that hackers are jealous of Apple's solid OS so they want to make a mountain of a molehill. Nobody has used "supposed" DNS issue to cause any issues. The people that think otherwise are lemmings.

    Apple will fix issues that are serious... quickly, but a minor problem such as this which can't be exploited, can easily wait until a routine security fix is issued.

    Everyone... let's all LAUGH at the people that consider this "patch" as necessary, it's simply not, unless you were in a Clean Room situation... and deeply in control of every aspect of both sides of the equation.

    Hackers make me laugh when they speak in regards to OSX... they are SO clueless.

  17. Maliciously Crafted Packet

    Mac Vulnerabilities

    Have there been any reported real world exploits of OS X to date? Any viruses, trojans, botnets etc?

    Not those carried out in the lab or at black hat conventions -they don't count- but in the real world?

    Would be interested to hear as this is what it will take to make Apple take security more seriously... Anyone?

  18. Pooper Scooper

    @Maliciously Crafted Packet

    The majority of all security issues you see these days -- including those on Windows -- are theoretical/lab/black hat convention exploits.

    The majority of Windows issues people still have in terms of viruses propagating everywhere are unpatched systems.

    The whole point is that by not patching systems when these flaws are discovered, you leave yours as the vulnerable one, so that when exploits do come out for those that didn't bother patching, you'll be the one suffering.

  19. Anonymous Coward
    Anonymous Coward

    I agree...

    ...there are too many fanboys of the kind that do a disservice to the rest of the users (of whatever platform). Yes we all know that you, your family, your friends, heck why not your whole neighborhood, are all mac users AND are security-literate. But that doesn't make the rest of the mac users also security-literate.

    No doubt Mac OS is a secure platform, but the information on it can still be compromised (read: stolen) through the applications running on it and the users themselves. A poorly written or poorly maintained/patched application can easily be subverted. A user can be fooled to believing that a compromised application is still trustworthy, even assist a malware mascarading as a legit program. Remember, your common user would believe that because their platform is secure, they (the applications they use and themselves) are immune to even the simplest information theft.

    Don't forget, your platform doesn't have to be completely infected/subverted to have information stored in it to be stolen. Different platforms require different tactics, and as such, just to have your browser subverted for the duration of a session is a disaster already (either steal your files or record your online passwords).

    Instead of bragging, help your fellow Mac users that are security-illeterate. Just reminding them that they still need to take measures to protect themselves is already a big help.

  20. Anonymous Cowherd Silver badge
    IT Angle

    Er, Ted?

    You're either have one of the dryest senses of humour I've ever seen, or you're a moron. Just in case it's the latter, please consider the following steps.

    1. Write simple Flash advert that will poison the DNS cache for apple.com

    2. Buy a campaign on doubleclick.com, El Reg's ad supplier

    3. Reroute swscan.apple.com to dodgy IP address.

    4. Advertise an update for OS X. Deliver a trojan instead.

    That's it. It doesn't matter if you're all patched and firewalled, if the upstream DNS isn't then the next Apple software update you install roots your box.

    See that nice banner at the top of the page? Install the iDVD update that came out last Friday? Getting the picture yet?

  21. Nick
    Paris Hilton

    Who Cares?

    Who cares, as long as it looks pretty.

    Paris, because even her hole is plugged.

  22. Sabahattin Gucukoglu
    Unhappy

    Hmm...

    Seems ISC aren't quite done yet with BIND. This was sent to bind-users (but not to bind-announce):

    http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/289f1af6eb37b3d6/976c504aff5bba35#976c504aff5bba35

    Cheers,

    Sabahattin

  23. whoami
    Flame

    ERRRR... Surprised Anyone?

    Oh wait, we are talking about the same guys that took longer than 2 OS X upgrades to clean up their firewall mess. (If they even have it fixed) Right?

    if (TRUE)

    {

    Guys move along, nothing to see here

    }

  24. Goat Jam
    Jobs Horns

    Apple Servers

    Why would anybody run servers made by a company that produces consumer gadgets and toys?

    Apple are well known for simply ignoring security issues, it's good to see that attitude extends to it's <ahem> "Server Division".

    It's good to be consistent after all.

  25. rasmus petersen
    Jobs Horns

    iServer ?

    Who would buy a server form a "phone and musicplayer" manifacture anyway.

    You can't expect a server to be a device that just need to be turned on and then forgotten, not even if you run OS X

  26. Ted
    Alien

    Poor Anonymous Cowherd, doesn't yet get it....

    @ Anonymous Cowherd

    Everyone had a great laugh at your fantasy of how you could magically break into OSX... what a hoot!

    OS updates can only originate from Apple, so no magic DNS trickery can change that.

    A flash app that could somehow poison Apple's DNS! ... GOD that is funny!

    A Mac user clicking on a banner for an update! ... GOD that is funny!

    You do know Apple uses UNIX, not Windows for their servers right?

    Thanks for the huge laugh at your expense.

    -

  27. dave lawless
    Boffin

    Unix security ..... lolz

    > Yes, being based on Unix, OS X has a lot of inherent security lacking ...

    I read that as "inherent insecurity" and was surprised to find the reverse.

    Macs used to be interesting because :

    a) they were not Intel

    and

    b) they were not Unix

  28. Nathan Randle
    Stop

    RE: Poor Anonymous Cowherd, doesn't yet get it....

    Ted, do you understand how the attack AC is talking about works?

    Yes flash apps CAN poison YOUR DNS, not Apple's. It makes apple.com look like it's at another location. Now I don't know if it can go further than that as I guess Apple signs its updates and uses SSL connections...but that's an assumption.

    Also Ted I think AC suggested a flash app as IIRC it wouldn't require you to click anything as it runs automatically and poisons your cache automatically. If it wasn't a flash ad then yeah you would need to click.

    Either way you can make an address such as hsbc.com point to your own IP's and have lots of fun so you saying this can't work is plain wrong and I bet it is active in the wild (luckily my ISP's nameservers are patched)

  29. Anonymous Coward
    Flame

    Gentlemen - meet Ted

    You are wasting your time attempting to explain a technical issue to Ted - he is the stereotypical rabid clueless fanboy rooted deeply in denial.

    The only sad part is he apparently thinks he knows something about security, and attempts to be patronising and smarmy with it.

    Incidentally with Leopard you can redirect OSX updates from a local server on your network. In fact Apple provide a service in Leopard server to do this called unsurprisingly, 'Software Update'. And no it doesn't use SSL.

  30. jai

    this is all acedemic now anyway

    because today the security patch came out that fixes this flaw didn't it?

This topic is closed for new posts.

Other stories you might like