DNS hole - no patch yet from Apple
Unlike Microsoft and the Linux distributors, Apple, perhaps distracted by their recent spate of product launches, has so far not provided a patch for the current security problem in the Domain Name Service. As the vulnerability is already being exploited, anyone using an OS X server for DNS purposes should act immediately.
In early March, Dan Kaminsky discovered a massive security problem in the procedure used for translating names like www.heise.de into IP addresses like 220.127.116.11. It appeared that, with little effort, access to the service could be diverted to other computers on the internet. Kaminsky informed all the major vendors – according to Rich Mogull, who says he assisted Kaminsky in making these contacts, these included Apple – and the vendors agreed to face the imminent threat with a joint strategy.
On July 8, Microsoft, Cisco, ISC, Red Hat, Ubuntu and many other vendors, for the first time, released simultaneous updates to make it more difficult to exploit the DNS hole and urged users to install the updates immediately. At the time, the vulnerability details were still being kept under cover to allow users and especially server operators, enough time to install and test the patches.
Now, however, the cat is out of the bag; the nature of the vulnerability has been revealed and the first tools already demonstrate how little effort is required to compromise the name translation of a DNS server and redirect web pages. First exploits have already appeared.
We have no explanation why Apple hasn't yet released any relevant security alerts and updates. After all, OS X servers use BIND, which is one of the most popular DNS server implementations and BIND is also affected by this problem. However, early on, the BIND developers themselves did release an update which is said to be portable to the UNIX-like OS X without much effort. According to Mogull, as with the other operating systems, in principle the client implementations of the DNS are also vulnerable. There should be no need to panic just yet because attacks are currently focusing on servers.
Those who operate an OS X server should, for now, refrain from using this server for domain name resolution. They can alternatively use their internet providers' DNS server, which hopefully already has the updates in place. Although this DNS server won't be able to translate local names. Users who run OS X as their desktop system should make sure they use a secure DNS server. This can, for example, be tested via DNS-OARC or Dan Kaminsky's site. Should it turn out that the DNS cache of OS X clients is also directly vulnerable, users can only hope that Apple will provide patches before the first attacks on clients appear.
- DNS vulnerability exploits released Report from heise security online UK.
- DNS security problem details released Report from heise security online UK.
- Massive DNS security problem endangers the internet Report from heise security online UK.