Apple's Fix For Major Dns Security Hole Finally Arrives

[Guest Reimar]

Apple's fix for major DNS security hole finally arrives

Nearly three weeks after Microsoft patched its Windows operating system to protect against attacks exploiting a flaw within the DNS system, Apple has delivered its own fix.

For Apple customers, the DNS fix is available for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, and Mac OS X Server v10.5.4. Users can download the security update through Apple's Web site or use the Software Update feature within the operating system.

Read the full article HERE

************************************************

As a side note: I just wondering why Apple has need so much time to acknowledge the existence of that DNS Hole and need more time to release a Fix. And that Fix applies for just 4 Versions (Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, and Mac OS X Server v10.5.4), the latest one and not to older!

That looks like pure ignorance of the customers need and demand.

Cheers.

[A_Traveller]

Adding to the side bar, it has been reported that the patch does not deal with the port sequencing issue, so Mac clients could still be at risk, though it is still vital to patch.

Regards

[sjaak327]

"As a side note: I just wondering why Apple has need so much time to acknowledge the existence of that DNS Hole and need more time to release a Fix. And that Fix applies for just 4 Versions (Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, and Mac OS X Server v10.5.4), the latest one and not to older!

That looks like pure ignorance of the customers need and demand. "

Well, I could write about apple's programmers being not up to the job, but of course I risk being flamed left and right if I did

Microsoft of course had the luck that their mainstream operating system (Vista) didn't need to be patched.

I can however understand that Apple only released this for the latest tiger and Leopard, users of these two OS have mac update to get their OS to the latest level.

Edited August 3, 2008 by sjaak327

[Guest Reimar]

"As a side note: I just wondering why Apple has need so much time to acknowledge the existence of that DNS Hole and need more time to release a Fix. And that Fix applies for just 4 Versions (Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, and Mac OS X Server v10.5.4), the latest one and not to older!

That looks like pure ignorance of the customers need and demand. "

Well, I could write about apple's programmers being not up to the job, but of course I risk being flamed left and right if I did

Microsoft of course had the luck that their mainstream operating system (Vista) didn't need to be patched.

I can however understand that Apple only released this for the latest tiger and Leopard, users of these two OS have mac update to get their OS to the latest level.

Ok, that's fine that Vista was secure. But was the older versions of Apple OS's secure as well? Apple just done the Fix for the Version 10.5.4 but not for 10.5.3 or alder, let say down to 10.5 or even 10.4.x!

Here we came back to the point of downward compatibility. I do believe that a lot of Apple users still not using the latest version of OS-X because of the need of upgrade of their machine and the software they running, which is quite expensive. So what's about that legit users?

That's what I mean with ignorance!

Don't get me wrong, I'm not against Apple! The Mac is an excellent machine for to do Designwork's. I also work on an Mac some times. But I can't recommend a Mac to customers who need to upgrade their system at all time if the OS is changing, special upgrade of the software. It's a question of costing's beside of (downward) compatibility and the cost of software upgrades are even very high!

Cheers.

[nikster]

So, I thought this whole DNS thing affected DNS servers. Who here is running OS X as their, or any DNS server? Hands up, please, I want to take a count.

Anyway, because of this, and because of the conflicting information about this bug, I decided to do some research.

First thing I checked the Apple security update notes which have this to say:

BIND

CVE-ID: CVE-2008-1447

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4

Impact: BIND is susceptible to DNS cache poisoning and may return forged information

Description: The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue.

See the text in bold. The affected component is not enabled by default. It's a unix daemon process, so in order to be vulnerable to this bug you have to enable your BIND daemon and most likely configure it.

And that's it. The facts are rather boring, I am afraid, and I don't see how any normal user could possibly be affected by this. If you run a server farm with OS X servers, maybe - not even sure you'd need BIND for most server applications.

Nothing to see here, move along...

[sjaak327]

Actually it's not only servers....

On the windows side, client have their own cache, the fix on the Windows platform also did fix the client side cache on XP and if I remember correctly also on Win2k.

Maybe next time do a bit more research, as the client side cache on Mac OSX isn't fixed yet

Another blow in the confidence in Apple I would say.

See http://www.tuaw.com/2008/08/01/apples-dns-...oming-up-short/

[Guest Reimar]

Actually it's not only servers....

On the windows side, client have their own cache, the fix on the Windows platform also did fix the client side cache on XP and if I remember correctly also on Win2k.

Maybe next time do a bit more research, as the client side cache on Mac OSX isn't fixed yet

Another blow in the confidence in Apple I would say.

See http://www.tuaw.com/2008/08/01/apples-dns-...oming-up-short/

Unfortunate it's nearly impossible to talk on an objective base with Apple Freaks. There is nothing which can beat Apple, no Virus, no Trojans, No Spy's, no DNS holes pp and if something did, it didn't because it can't on an Apple!

From my point of view it's quite frustrating that a company which claims to be the most secure one on the computer sector, is need a long time to fix problems on one hand and on the other just ignoring customer demand in many way. The easiest example is just this DNS Hole!

Cheers.

[sjaak327]

"From my point of view it's quite frustrating that a company which claims to be the most secure one on the computer sector,"

It is clearly not the case, they couldn't even build their own OS, they had to buy it.

[nikster]

Umm.. it's hard to fix anything that didn't have a problem to begin with. The client side cache never had this problem on OS X, and AFAIK not on any other systems either. This bug was reported on DNS servers, not clients.

A DNS server is usually run by your provider, e.g. TOT. Your Linksys or whatever router also plays DNS server but it's really just a NAT or network address translation service.

The article you happen to be referring to doesn't actually say anything new, except that the BIND bug fix doesn't really work. Tragic for sure. Should have done better. But does it affect any real users? No.

It's impossible for the cache poisoning issue to affect a normal user. Why? Because the service / program that is vulnerable does not even run on any normal Mac. DNS serving is not an activity normal users will find themselves engaged in.

That's about all that can be said about the topic. There's only so many ways you can say it doesn't actually affect anyone.

I hope this makes it a bit clearer, but I realize that it's an issue that is pretty technical.

It's hard to explain because:

- It's very serious - it potentially affects all ISPs world-wide. Because the issue is on the servers, there is no client side fix possible. If your DNS server has this problem, the client has no recourse. It must trust the server for DNS.

- Most people are unaware of what a DNS server even is, and confuse it with other things. Like the client side DNS cache(?!)

- The press wants to report dramatic news - the reporters don't "get" the problem either so they write something up which sounds scary.

Actually it's not only servers....

On the windows side, client have their own cache, the fix on the Windows platform also did fix the client side cache on XP and if I remember correctly also on Win2k.

Maybe next time do a bit more research, as the client side cache on Mac OSX isn't fixed yet

Another blow in the confidence in Apple I would say.

See http://www.tuaw.com/2008/08/01/apples-dns-...oming-up-short/

Edited August 5, 2008 by nikster

[sjaak327]

It's a little bit more complicated then that I'm afraid. Sure the biggest problem indeed is at the DNS server side and yes if your provider hasn't fixed their end, than of course you could be in trouble.

But you seem to forget that under Windows at least, there is a dns client that caches DNS request from those servers, so for instance if I would do a dns lookup for www.apple.com, the client caches the answer, rather then asking the DNS server each and every time, thus saving bandwith.

The fix from Microsoft (MS08-037 http://www.microsoft.com/technet/security/.../ms08-037.mspx) contained fixes for both DNS severs (running under Server 2008, 2003 and 2000) and DNS clients (XP, 2000).

[slackula]

I am curious;

Who in this thread derives all or any part of their income from installing, promoting or supporting Microsoft or other IT products?

In the interests of transparency I will go first:

I am a small business operator, computer geekery is a sideline/hobby. I receive zero income from pushing one OS or application over another. My desktop is an iMac and my laptops are a MacBook and a ThinkPad running Slackware 11 and my DE of choice is FluxBox.

Your turn..

[b19bry]

"My desktop is an iMac and my laptops are a MacBook and......."

Slackula, that would have to class you as at the very least an 'Apple Fanboy' if not the more exalted 'Apple Freak' on this forum

Your point is well taken

[nikster]

I am apparently an "Apple Freak" - LOL, love it - but I do not derive any income from promoting or selling any OS or hardware. I write Java programs that run cross-platform on OS X, Windows, and Linux.

@sjaak - such a client issue doesn't exist on the Mac. Nor do any of the linked articles imply that something like this was the case. As I have pointed out, clients are completely unaffected on OS X. I had the impression WinXP clients were also unaffected, but I maybe I was mistaken. It is true that there is a DNS cache locally on OS X - but this cache cannot be poisoned by the above-mentioned attack. The attack is good only for certain servers. The BIND service is such a server, and that's what the OP referred to. Apple has released a fix for the BIND service, the fix isn't good enough, but the BIND service isn't even enabled by default on any Mac system, let alone used for client side DNS caching. The client side cache, as the name implies, merely caches whatever it receives from the servers.

A server side cache is a whole different beast - it's more or less the "large routing table" used to translate IP numbers into domain names. The DNS servers update each other, and when they do, they store what they got in their caches. These caches were vulnerable to poisoning, ie a malicious attacker could make the DNS server store a wrong value. The DNS server would then propagate the wrong value to all clients, with devastating results because most DNS servers serve a lot of users. For example, all TOT users. Hundreds of thousands of machines. DNS servers are part of the foundation of the internet.

[sjaak327]

'@sjaak - such a client issue doesn't exist on the Mac."

Well, that's the question, according to some articles I read, there is a client issue, but a very small one. Apparently they are still evaluating how big a risk it actually is. I guess it will be a very small risk. Having said that, I would expect Apple to fix even these vulnerabilites, furthermore, I appreciate that the Bind daemon might not run by default, that of course doesn't mean that the binairies shouldn't be fixed. The client issue seems to be the one that a-traveller referred to, explained a bit at: http://isc.sans.org/diary.html?storyid=4810&rss

To respond to Slackula, I too don't sell any hard or software, I merely support OS systems, including OSX, Windows XP, Vista, and all kind of server OS's like Server 2003 and 2008, CentOS, and some other Linux distributions. Having said that, I fail to see the relevance to this particular thread.

[A_Traveller]

The reality behind this attack is based on a number of separate elements, just reviewing 2 key ones, the query ID {QID} & the resource record {RR} within a DNS packet, the attack vector may be more explicable. A stub DNS, which is what is used on all client machines can be vulnerable through the local platform, for example, I get the victim to go to a specific website in which I've hidden drive by code to create a fake DNS packet, with a suitable QID. The packet updates the stub DNS with, say, a new address for google {remember the Internet is all numbers, the DNS converts it to and from the address we recognise} and if the update is accepted, grossly over simplifying the process required to achieve this, for obvious reasons, than the stub will direct the user to the fake google site until the DNS stub cache is refreshed.

Now note the victim wasn't asking for google's 'address' nor anticipating receiving that, however, if I amend the RR within the DNS packet {in effect add an additional element} it is possible for me to send un-requested information to the client stub, which results in the local cache being 'poisoned'.

Regards

PS The discoverer of the flaw is due to provide a talk on this later today, and will be providing more background on this, so I don't believe if giving anything away here.

PPS In my view a client attack is unlikely initially, but there is an exposure, and that will increase as knowledge of the exploit grows and people go hunting. Personally, I think it would have been better if Apple had followed others in providing a patch for the range of vulnerable systems, but, if there was a resource issue, then servers were the ones to fix first.