Nearly Three Months Later, Apple Finally Patches DNS Flaw [Updated]
[Update: According to some security experts the patch Apple claimed would fix the DNS bug, does not in fact patch it. Computer World quotes a security expert who says, "even after Apple's update was applied, systems running the client version of Mac OS X were still incrementing ports, not randomizing them, as should have been the case if the fix had addressed the flaw." Given that Apple uses the Internet Software Consortium's BIND tools, and the ISC's version has already been patched, it's hard to see how Apple's version remains vulnerable. But on the OS X client side anyway, it would appear that the flaw still exists. Given that there probably aren't many client versions of OS X hosting DNS servers, the flaw isn't overly critical for the average user, but it does add yet another wrinkle to what's already become an embarrassing saga for Apple. There's still no word on whether OS X Server patch works or not. If you have a copy available to test, let us know what you find.]
Apple has finally released a patch that, among other things,
closes the very serious DNS cache poisoning attack (see above) we mentioned earlier. Today’s security update also patches numerous security flaws in OS X and is recommended for all users.
While Apple users at least now have a solution for the very serious DNS threat, many are wondering why it took Apple nearly three months to release the patch.
What’s even more galling for some users is that in that time, Apple has managed to patch its consumer applications — notably iTunes and MobileMe — numerous times.
The failure to address serious security issues and choosing instead (by appearances anyway) to focus its efforts on consumer applications may have done some real damage to Apple’s reputation in the corporate world.
With the iPhone recently pulling in a slew of features aimed specifically at the corporate world, it’s no secret that Apple is at least partially coveting that market. Just as the iPod turned a generation of kids into Mac users, Apple seems to be hoping that the iPhone will do the same for the corporate world.
Unfortunately for Apple, unless the company starts taking security more seriously and becomes more forthcoming with its users, the corporate world is unlikely to embrace the company’s products.
John C. Welch, senior systems administrator for The Zimmerman Agency (and from what I can tell, ordinarily a supporter of Apple) recently wrote:
Apple needs to not only release the patch, but issue a public mea culpa that apologizes, and outlines the way the process(es) that allowed this to happen will be fixed. If that does not happen, then as an IT professional, I will be required by my own professional ethics to begin a serious review of any uses of Apple hardware on my network that faces the public Internet, and see if those machines can be replaced by a similar product from another vendor that not only claims to take security seriously but actually takes the actions to show it does. I would recommend that anyone else in my line of work do the same.
With MobileMe proving something of a disaster, iPhone 2.0 off to bumpy start and the failure to address the DNS flaw in timely fashion, Welsh is no doubt not alone in his loss of faith in Apple.
For those running OS X Server, the update should be available through Software Update or it can be downloaded from Apple’s site.
[via Computer World]