Updated 2:50 p.m. PDT with comments from security researcher Rich Mogull.
Three weeks after the disclosure of a serious flaw within the Domain Name System (DNS), Apple has yet to patch its MAC OS X operating system, but the company may be able to look to a third party in defense.
In a posting to an Internet newsgroup on Monday, Paul Vixie of the Internet Systems Consortium (ISC) acknowledged that the Berkeley Internet Name Domain (BIND) DNS Server's recent -P1 releases may be unstable for some users. The BIND DNS Server is used on the vast majority of name serving machines on the Internet and provides an openly redistributable reference implementation of the major components of the Domain Name System.
Vixie, one of the researchers briefed in advance of the DNS flaw disclosure by Dan Kaminsky, said that once ISC learned of the problem, it began work immediately on a patch.
However, "during the development cycle we became aware of a potential performance issue on high-traffic recursive servers, defined as those seeing a query volume of greater than 10,000/queries per second. Given the limited time frame and associated risks we chose to finish the patches ASAP and accelerate our work on the next point releases that would address the high-volume server performance concerns."
Vixie underscored that having the DNS patch was more important than worrying about slow server problems. He said that ISC will be releasing versions of 9.3.5-P2, 9.4.2-P2, and 9.5.0-P2 at the end of this week.
Separately, security researcher Rich Mogull of Securosis.com echoed that having a DNS patch was better than not having one.
In a blog last week co-authored with Glenn Fleishman, Mogull commented on Apple's lack of a patch. He wrote: "Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."
In an e-mail to CNET News, Mogull said "Apple may be stuck between a rock and a hard place on this one, but they've chosen the worst possible option--remaining silent."
He went on to say that we don't know how the BIND instability affects the Mac OS X Server.
"If it were unstable, my recommendation would be to make a preliminary patch available that those using it as a recursive DNS server can apply. With an active exploit, no patch at all is not a viable option and places customers at high risk. Let the customers make their own risk decision."
Mogull suggests that those savvy with compiling code could still install their own version of 9.5.0-P1 to a Mac OS X Server or "reconfigure those servers to forward DNS requests to alternative platforms, such as BIND on Linux or Unix, or Microsoft servers, until Apple issues a patch."
Current attacks in the wild only affect DNS caching on Web servers, said Mogull in his blog, so desktop MAC OS X users need not be concerned just yet.
Apple had no comment to a request from CNET News regarding the status of a Mac OS X DNS patch.
As of Wednesday, an exploit code allowing someone to attack the domain name system (DNS) was available in various places on the Internet.
On July 8, IOActive researcher Dan Kaminsky disclosed a flaw in the DNS but would not provide the details until all the affected vendors had released patches and all the systems worldwide could be patched. He figured that it would take about 30 days for that to happen.
The 30-day mark just happened to coincide with his speaking engagement at Black Hat in Las Vegas on August 6.
But on Monday, fellow Black Hat presenter Halvar Flake attacked Kaminsky's plea that a security flaw such as this be kept a secret. Flake then proceeded to lay out what he thought the flaw was. Turns out, he was right and laid the foundation for others to create and publicize an exploit.
On Thursday, Kaminsky will be a guest on the second Black Hat Webinar. This is the second of what is hoped to be a monthly series produced by the conference. Kaminsky will be joined by Jerry Dixon, former director of the Department of Homeland Security's cybersecurity division; Rich Mogull, founder of Securosis; and Joao Damas, a senior program manager at the Internet Systems Consortium. The Webinar begins at 1 p.m. PT.
To see if your connection to the Internet is vulnerable to DNS cache posioning, use this test on Kaminsky's site. As of Monday, researcher Neal Krawetz was reporting that servers at several high-profile ISPs remained vulnerable.
- prev
- 1
- next
