Typical
It's like Byker Grove when Jeff died.
Apple has come under fire for failing to patch the critical Domain Name System (DNS) flaw which prompted a (rest of) industry wide response earlier this month. For anyone just back from a trip up the Amazon, the discovery of a domain spoofing vulnerability by security researcher Dan Kaminsky sparked a massive patching effort …
I think there will soon be a new term in the IT world.
Scrumping - to attack a network of computers to locate the Apples which haven't been patched.
What is it with Apple and this blind ignoring of security issues? (I am especially thinking of Safari here as well as this DNS issue)
Some of the news items lately find Apple acting as if security is someone else's problem. Soon this will bite them in the arse as the Black Hat crowd target them more and more.
The joke of this DNS fix is Apple just need to add the patch that someone else has already written for them!!
Although I'm quite happy with my Mac "end-user" computers I can't understand why people bother with the server variant of OSX. Just put FreeBSD or Linux onto bog standard hardware and have done with it. It's not like you get a significant commercial software advantage over *nix like you do with a normal Mac, and as incidents like this prove, you're doing yourself and your users a disservice by depending on Apple to fix issues long after the OSS community have issued patches for other *nix variants.
Does anyone actually use an OS X machine as a caching nameserver anyway? This sounds like a completely irrelevant attack at Apple - I'm sure there are thousands more products (DSL routers etc) for which there's *much* more real world need for patches than for OS X.
...the reason everyone else got a patch out in such short time is everyone got advance notice (hence why it came out on patch Tuesday)
Do we know if apple also got advance warning? If not, fair enough. If so (and I suspect they did get warning) that's even worse!
still, holding off judgement until I know for sure
Mac OS-X is BSD, Apple don't actually write the majority of the server components, all they have to do is wait for a patch to be written by the nice people at Berkley, compile it and package it. How does that even begin to take more than two weeks for such an important vuln? If this were MS, we wouldn't hear the end of it, and they have to actually write their own software.
It's pretty clear that Apple (the corp) actually believes what their fanbois believe, viz. Macs are Totally Wonderful, Defect Free, and Utterly Secure . You'd think that the powers that be at Apple would be privy to all the dirty secrets about deficiencies in their systems, but it seems like they've fallen for their own publicists' lies, misstatements, distortions, and obfuscations as well as the adulation of their users.
It's been known for years that Macs weren't targeted by the malware crowd because there weren't enough of them to make it worthwhile. But that is NOT security; that's just dumb luck. With the transition to OS X, plus Microsoft's pratfall called "Vista", suddenly the uptake of Macs is a lot greater, and guess what? Now Macs _are_ worthy targets for malware.
Surely Apple management is fully aware that they had a house of cards on their hands? Yes, being based on Unix, OS X has a lot of inherent security lacking in Windows, but modern OSes are so complex that it's impossible to render them watertight.
The gradual revelation that OS X, Safari, etc have security holes just like all other systems merely frosts the cake.
This is purely a non-critical issue, it's just that hackers are jealous of Apple's solid OS so they want to make a mountain of a molehill. Nobody has used "supposed" DNS issue to cause any issues. The people that think otherwise are lemmings.
Apple will fix issues that are serious... quickly, but a minor problem such as this which can't be exploited, can easily wait until a routine security fix is issued.
Everyone... let's all LAUGH at the people that consider this "patch" as necessary, it's simply not, unless you were in a Clean Room situation... and deeply in control of every aspect of both sides of the equation.
Hackers make me laugh when they speak in regards to OSX... they are SO clueless.
Have there been any reported real world exploits of OS X to date? Any viruses, trojans, botnets etc?
Not those carried out in the lab or at black hat conventions -they don't count- but in the real world?
Would be interested to hear as this is what it will take to make Apple take security more seriously... Anyone?
The majority of all security issues you see these days -- including those on Windows -- are theoretical/lab/black hat convention exploits.
The majority of Windows issues people still have in terms of viruses propagating everywhere are unpatched systems.
The whole point is that by not patching systems when these flaws are discovered, you leave yours as the vulnerable one, so that when exploits do come out for those that didn't bother patching, you'll be the one suffering.
...there are too many fanboys of the kind that do a disservice to the rest of the users (of whatever platform). Yes we all know that you, your family, your friends, heck why not your whole neighborhood, are all mac users AND are security-literate. But that doesn't make the rest of the mac users also security-literate.
No doubt Mac OS is a secure platform, but the information on it can still be compromised (read: stolen) through the applications running on it and the users themselves. A poorly written or poorly maintained/patched application can easily be subverted. A user can be fooled to believing that a compromised application is still trustworthy, even assist a malware mascarading as a legit program. Remember, your common user would believe that because their platform is secure, they (the applications they use and themselves) are immune to even the simplest information theft.
Don't forget, your platform doesn't have to be completely infected/subverted to have information stored in it to be stolen. Different platforms require different tactics, and as such, just to have your browser subverted for the duration of a session is a disaster already (either steal your files or record your online passwords).
Instead of bragging, help your fellow Mac users that are security-illeterate. Just reminding them that they still need to take measures to protect themselves is already a big help.
You're either have one of the dryest senses of humour I've ever seen, or you're a moron. Just in case it's the latter, please consider the following steps.
1. Write simple Flash advert that will poison the DNS cache for apple.com
2. Buy a campaign on doubleclick.com, El Reg's ad supplier
3. Reroute swscan.apple.com to dodgy IP address.
4. Advertise an update for OS X. Deliver a trojan instead.
That's it. It doesn't matter if you're all patched and firewalled, if the upstream DNS isn't then the next Apple software update you install roots your box.
See that nice banner at the top of the page? Install the iDVD update that came out last Friday? Getting the picture yet?
@ Anonymous Cowherd
Everyone had a great laugh at your fantasy of how you could magically break into OSX... what a hoot!
OS updates can only originate from Apple, so no magic DNS trickery can change that.
A flash app that could somehow poison Apple's DNS! ... GOD that is funny!
A Mac user clicking on a banner for an update! ... GOD that is funny!
You do know Apple uses UNIX, not Windows for their servers right?
Thanks for the huge laugh at your expense.
-
Ted, do you understand how the attack AC is talking about works?
Yes flash apps CAN poison YOUR DNS, not Apple's. It makes apple.com look like it's at another location. Now I don't know if it can go further than that as I guess Apple signs its updates and uses SSL connections...but that's an assumption.
Also Ted I think AC suggested a flash app as IIRC it wouldn't require you to click anything as it runs automatically and poisons your cache automatically. If it wasn't a flash ad then yeah you would need to click.
Either way you can make an address such as hsbc.com point to your own IP's and have lots of fun so you saying this can't work is plain wrong and I bet it is active in the wild (luckily my ISP's nameservers are patched)
You are wasting your time attempting to explain a technical issue to Ted - he is the stereotypical rabid clueless fanboy rooted deeply in denial.
The only sad part is he apparently thinks he knows something about security, and attempts to be patronising and smarmy with it.
Incidentally with Leopard you can redirect OSX updates from a local server on your network. In fact Apple provide a service in Leopard server to do this called unsurprisingly, 'Software Update'. And no it doesn't use SSL.