Microsoft joins 'patch DNS now' chant; Apple patch missing

Microsoft joins 'patch DNS now' chant; Apple patch missing

Summary: On the heels of the release of weaponized exploit code for the DNS cache poisoning vulnerability, Microsoft has joined the chorus of security pros pleading with DNS server providers to immediately apply patches to protect users from malicious attacks.The Redmond, Wash.

SHARE:

On the heels of the release of weaponized exploit code for the DNS cache poisoning vulnerability, Microsoft has joined the chorus of security pros pleading with DNS server providers to immediately apply patches to protect users from malicious attacks.

Microsoft joins ‘patch DNS now’ chant; Apple patch missing

The Redmond, Wash. security giant issued a formal security advisory advisory today with a terse warning that "attacks are likely imminent" because of the availability of exploit code:

Since the coordinated release of these updates, the threat to DNS systems has increased due to a greater public understanding of the attacks, as well as detailed exploit code being published on the Internet.

Microsoft is not currently aware of active attacks utilizing this exploit code or of customer impact at this time. However, attacks are likely imminent due to the publicly posted proof of concept and Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

[ SEE: Attack code published for DNS flaw ]

The company said its investigation of the exploit code, which was included in Metasploit, has verified that it does not affect Microsoft customers who have installed the updates detailed in Microsoft Security Bulletin MS08-037.

However, as Dan Goodin reports, some of the world's biggest ISPs are still very slow to ship fixes to protect customers.  Goodin found that the tardy ISPs included AT&T, Time Warner and Bell Canada.

My own testing of AT&T's network on the iPhone returned conflicting results.  Dan Kaminsky's Doxpara DNS checker said AT&T was vulnerable but the same test at the DNS-OARC’s DNS checker and got this: 209.183.33.23 (schinetdns.mycingular.net) appears to have GREAT source port randomness and GREAT transcation ID randomness.

[ Vulnerability disclosure gone awry:  Lessons from the DNS debacle ]

According to Rich Mogull, Apple is also among the tardy vendors:

Apple has yet to patch the vulnerability which affects both Mac OS X and Mac OS X Server. While individual computers that look up DNS are vulnerable, servers are far more at risk due to the nature and scope of the attack.

Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date.

All users of Mac OS X Server who use it for recursive DNS must immediately switch to an alternative or risk being compromised and traffic being redirected. Installing the above-mentioned BIND should be relatively trivial for anyone who can compile software at the command line. The Mac community could take this up if someone created a compiled version of BIND 9.0.5-P1 and distributed it for simpler installation.

With active exploit code available in a common attack tool, it is imperative that Apple fix this vulnerability. Due to their involvement in the process and the ability of other vendors to fix their products in a timely fashion, it's hard to imagine any possible justification for Apple's tardy behavior.

I have confirmed at least three publicly available exploits for this vulnerability and there are reliable behind-the-scenes mumbling that others are on the way.

Dan Kaminsky gets the last word: "Less drama, more patching."

Topics: Microsoft, Apple, Browser, Hardware, Networking, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • This is NOT Apple's fault, they didn't write BIND

    [i]Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date.[/i]

    Just like the PWN2OWN vulnerability wasn't Apple's fault (Apple didn't write Perl), this is also not Apple's fault. Apple can't be held responsible for the code they distribute on their install disks, they can only be held responsible for the code that they actually wrote. So rest assured all you OS X users, if you get phished, it isn't Apple's fault. It is probably Microsoft's fault.

    ;)
    NonZealot
    • :)

      You are incorrigible.

      _r
      Ryan Naraine
      • I couldn't make this stuff up if I tried

        Seriously, I'm not that creative.
        [url=http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=48138&messageID=898138] Apple fan explains why Apple isn't responsible for PWN2OWN vulnerability [/url]
        [i]A Perl exploit isn't an Apple bug, anymore than the Flash exploit on the Vista machine was a Microsoft bug.[/i]

        I'm only using Apple user logic when I say that this isn't Apple's problem. :)
        NonZealot
        • Did anyone bother to point out

          that Flash doesn't ship with Windows? And that Perl does ship with OS X?
          Michael Kelly
        • To an extent it is

          Since they use it it is partially their fault. More so if they didn't help facilitate a fix.

          If Ford (or any other company) sub contracted a part that was used in their cars which caused a problem (say, randomly failing brakes), people would blame Ford, not the sub contractor.
          Comnenus
    • RE: This is NOT Apple's fault, they didn't write BIND

      If they're putting their name on it and shipping it, they are responsible. Same rules apply for any OS distribution: ie, Red Hat didn't write BIND, either, but as a distribution maintainer they are responsible for getting the patch applied, tested, and distributed the BIND version they ship.

      If the responsibility doesn't rest with Apple as the distribution maintainer, what are you really saying: that you get nothing from Apple and every Apple end user is responsible for the maintainence of every single piece of software packaged in the Mac OS X? My ... that just makes me want to run out and load Mac OS X everywhere -- I just love maintaining all of my system software without vendor support.
      regex.fu
      • You Must Be New Here

        NonZealot does not defend Apple.

        So, it's a fair question for the tech journalists: why is Apple lagging on rolling out the patch?

        About the only remotely plausible (and weak) explanation I can imagine is that the number of systems that are used in an exposed manner is counted in dozens.
        DannyO_0x98
        • Another Easy Answer

          Because Apple needs be be dragged kicking and screaming into security patches.
          rpmyers1
        • Typical (rotten) Apple

          Hmmm, I wonder if Apple is going to make another one of their smarmy commercials with that guy from Die Hard IV and try to say this only happens on PCs. I honestly think that when Apple makes those commercials they are playing both sides of the fence; by saying these problems happen to PCs they are, technically, saying it happens to them as well since they are making personal computers.

          Maybe Apple products wouldn't cost so much if they reduced their slick advertising budget. Then again, they wouldn't move product if they made a commercial where they compared cost-to-features ratio of any of their products versus a competitor (iPods included).
          Leeroy_Jenkins
    • Following that logic

      No one vendor is responsible for ANY updates. After all, THEY didn't write the exploits did they.
      Bozzer
  • The hackers named the virus and virus types

    These hackers invented the whole jargon that you see on virus.They even tried to get rid of the virus with some token programs.
    BALTHOR
  • RE: Microsoft joins 'patch DNS now' chant; Apple patch missing

    --
    regex.fu
    • No-delete button woes?

      I hear you man... I hear you...
      Core2uu
  • RE: Microsoft joins 'patch DNS now' chant; Apple patch missing

    Hmmm, I wonder if Apple is going to make another one of their smarmy commercials with that guy from Die Hard IV and try to say this only happens on PCs. I honestly think that when Apple makes those commercials they are playing both sides of the fence; by saying these problems happen to PCs they are, technically, saying it happens to them as well since they are making personal computers.

    Maybe Apple products wouldn't cost so much if they reduced their slick advertising budget. Then again, they wouldn't move product if they made a commercial where they compared cost-to-features ratio of any of their products versus a competitor (iPods included).
    Leeroy_Jenkins
  • It's no miracle cure anyway

    Can anyone with any expertise really expect this to change much? As if it isn't just one of many flaws allowing some a rather pleasant lifestyle at the expense of others? Samo, samo, doh! wakey wakey - been asleep for the last 10 years? The whole first couple of decades of the internet will be remembered as the stone age when loonies were put in charge. Really!
    Why bother - there are no secrets left except for those of you who still think nuclear weapons are the bee's knees in weaponry. Yeah right.
    topsecret@...