| Slashdot | Apple Still Has Not Patched the DNS Hole Stories Slash Boxes Comments Slashdot Search News for nerds, stuff that matters Log In Create Account Help Subscribe Firehose Why Log In? Why Subscribe? Log In Nickname Password Public Terminal [ Create a new account ] Sections Main Apple AskSlashdot Backslash Books Developers Games Hardware Interviews IT Linux Mobile Politics Science YRO Help FAQ Bugs Stories Old Stories Old Polls Topics Hall of Fame Bookmarks Submit Story About Supporters Code Services Jobs PriceGrabber Special Offers Sponsor Solutions Surveys Jobs Slashdot Log In Log In Nickname Password Public Terminal [ Create a new account ] Apple Still Has Not Patched the DNS Hole Posted by kdawson on Monday July 28, @07:17PM from the get-with-it-already dept. Steve Shockley lom adapter sun server notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date." [+] apple, security (tagging beta) Related Stories [+] Kaminsky's DNS Attack Disclosed, Then Pulled 280 comments An anonymous reader writes "Reverse engineering expert Halver Flake has recently mused on Dan Kaminsky's DNS vulnerability. Apparently his musings were close enough to the mark to cause one of the Matasano team, who apparently already knew of the attack, to publish the details on the Matasano blog in a post entitled 'Reliable DNS Forgery in 2008.' The blog post has since been pulled, but evidence of it exists on Google and elsewhere. It appears only a matter of time now before the full details leak." Reader Time out contributes a link to coverage on ZDNet as well. [+] Attack Code Published For DNS Vulnerability 204 comments get_Rootin writes "That didn't take long. ZDNet is reporting that HD Moore has released exploit code for Dan Kaminsky's DNS cache poisioning vulnerability into the point-and-click Metasploit attack tool. From the article: 'This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.' Here's our previous Slashdot coverage." [+] Patch DNS Servers Faster 143 comments 51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic virtual server r2 updates (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis. Firehose:Apple caught with DNS pants down by machine321 (458769) Apple Still Has Not Patched the DNS Hole More | Login | Reply The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way. Without JavaScript enabled, you might want to use the classic discussion system instead. If you login, you can remember this preference. Apple Still Has Not Patched the DNS Hole 50 Comments More | Login | Reply / Full Abbreviated Hidden More | Login | Reply Please Log In to Continue Log In Nickname Password Public Terminal [ Create a new account ] Loading... please wait. Typical Apple Situation (Score:5, Funny) by Anonymous Coward on Monday July 28, @07:19PM (#24377103) Waiting for the port. Reply to This Never been truer (Score:5, Funny) by djdavetrouble (442175) on Monday July 28, @08:49PM (#24378223) Homepage There is always one bad Apple (tm) that spoils the whole bunch. Reply to This Parent Lawyered up (Score:5, Funny) by markdowling (448297) <markdowling@e[ ]om.net ['irc' in gap]> on Monday July 28, @10:33PM (#24379377) Why patch when you can tell your lawyers to issue cease and desist letters to everybody - starting with that Kaminsky guy Reply to This Parent Re: (Score:3, Informative) by dgatwood (11270) If your server is configured as it should be, the exposure athena news server here should be pretty limited. AFAIK, issues with cache poisoning can be dramatically reduced in risk by limiting requests for recursion to hosts within your own network. In environments where the network is untrusted, of course, that's not sufficient, though it is still a good stop-gap to reduce your exposure. options { allow-recursion { a.b.c.d/xx }; }; t3h horror! (Score:5, Funny) by TheSHAD0W (258774) on Monday July 28, @07:21PM (#24377145) Homepage Are there any statistics on how many Macs are being utilized as DNS servers? Is it more than three? [runs away] Reply to This Re:t3h horror! (Score:5, Funny) by Annymouse Cowherd (1037080) on Monday July 28, @07:42PM (#24377447) Homepage I would bet it's about as many as are being used as servers, which is not many. Reply to This Parent Re:t3h horror! (Score:5, Funny) by Anonymous Coward on Monday July 28, @07:57PM (#24377679) I'm not sure. But what I do know is that the patch is going to require a hardware upgrade; Apple would have it no other way. [runs and hides] Reply to This Parent Re:t3h horror! (Score:5, Funny) by Fast Thick Pants (1081517) <fastthickpants@[ ]il.com ['gma' in gap]> on Monday July 28, @08:14PM (#24377853) Either exchange server migration tools that, or a $20 charge for "new features"... Reply to This Parent Re:t3h horror! (Score:5, Funny) by JanneM (7445) on Monday July 28, @08:27PM (#24377987) Homepage Either that, or a $20 charge for "new features"... Come now, give Apple some credit. This isn't just some run-of-the-mill bug, this is a serious security issue that could cause their customers some serious harm if not fixed. I'd expect $100 at least; or perhaps they'll introduce the backup windows server to debian innovative "iLease", with a "lease to own" path for the fixed bug where it's patched permanently on your server after only three years of monthly bug fix rental. Reply to This Parent Re:t3h horror! (Score:5, Funny) by Nerdfest (867930) on Monday July 28, @09:40PM (#24378741) Heh Heh ... Lease to pwn. Reply to This Parent Re:t3h horror! (Score:4, Funny) by Chris Burkhardt (613953) <[email protected]> on Monday July 28, @09:08PM (#24378425) Homepage Are there any statistics on how many Macs are being utilized as DNS servers? My Mac mini is being used as a caching DNS server for my home network... but it's running djbdns. Reply to This Parent Re:t3h horror! (Score:4, Funny) by McGiraf (196030) on Monday July 28, @08:23PM (#24377929) Homepage Anecdotal evidence is enough to prove that a least one OS X Server is used. Reply to This Parent The patch is undocumented (Score:5, Funny) by commodoresloat (172735) * on Monday July 28, @07:22PM (#24377165) Homepage The problem is that they didnt apply the patch to the OS; they applied a patch directly to the Reality Distortion Field, ensuring that this isn't a vulnerability in the first place. Reply to This Right on (Score:5, Insightful) by Anonymous Coward on Monday July 28, @07:45PM (#24377497) Well, that's what my Mac using friend whose reality is severely distorted told me - "I don't have to worry, I use Mac.". Further arguments were futile after that. Reply to This Parent Re: (Score:3, Insightful) by LostCluster (625375) * Recapping our top story for those just joining us... there's a flaw in most common DNS esolving servers. So it doesn't matter what desktop software you're running, it's what the machine that answers to the DNS server named in your IP config. If you're using a Mac and your ISP is fixed, you're most likely fine. If your ISP isn't fixed, well, there's your problem. Re: (Score:3, Insightful) by OriginalArlen (726444) Funny you should say that. Someone just released exploit code that, when used with the DNS cache-poisoning attack, allows the attacker to masquerade as the Apple OS update site [readlist.com] and supply arbitrary binaries that the victim machine will happily download and install. That's right, in 2008 MacOS doesn't use SSL to authenticate the OS update server. The words "un fucking believable" spring to mind. Re:The patch is undocumented (Score:5, Informative) by wumpus188 (657540) on Tuesday July 29, @03:53AM (#24381657) Are you living in 2002 [slashdot.org] or just making this up? Reply to This Parent Mac OS X ...Server? (Score:5, Funny) by sexconker (1179573) on Monday July 28, @07:26PM (#24377227) Wait, what? Reply to This Re:Mac OS X ...Server? (Score:5, Informative) by Anonymous Coward on Monday July 28, @08:16PM (#24377873) Mac OS X Server is way more than that. It remotely manages and provides services to potentially thousands of concurrent Macs OS X clients and/or effectively manages Apple's XRAID/XSAN storage subsystems. Apple can't walk into an organization and sell them five hundred Macs and very well expect them to use Windows 2008 or Sun servers now can they? Remote software updates, asset tracking, screen-control, web-mail, anti-spam, everything... http://www.apple.com/server/macosx/ Reply to This Parent Re:Mac OS X ...Server? (Score:5, Funny) by Anonymous Coward on Monday July 28, @08:20PM (#24377905) Wow, sounds great, tell me more about the security, i want to use their super-slick interface for my DNS servers. Reply to This Parent Re: (Score:3, Funny) by tim_of_war (1256120) Apple can't walk into an organization and sell them five hundred Macs ... We'll cross that bridge when we come to it. Re:Mac OS X ...Server? (Score:5, Informative) by raddan (519638) on Monday July 28, @10:34PM (#24379389) As of today, we've extricated ourselves from the hell that was Xserves. We purchased a number of these machines because it seemed like an easy and cheap way to get a fileserver going that did both AFP and SMB, was AD-integrated, and could have its file store on a SAN. Well, after much money and a year later, the answer is that Apple very much oversold their ability to integrate into a Windows environment. Here are my gripes: AD-binding is not straightforward. Apple really wants you to run an OpenDirectory, as this allows you to both manage Apple desktops and do single-sign on. If you just want to allow AD authentication on your MacOS X servers, good luck. You're in for a bugfest, with partially-working GUIs and many, many quirks. #1 quirk being: you can't do cross-domain authentication, even bypass proxy server if those domains are trusted. This was a showstopper for us. There is only ONE backup application for Xsan that is both a) reliable, and b) has a reasonable support server services contract. We tried Retrospect (total POS), Veritas (ridiculous wait times for support), and finally, BRU. BRU has a decent product, but the number of MacOS bugs that plague this application make it unreliable and frustrating to use. OSS applications don't handle the numerous HFS+ corner cases. Rsync, which we used for snapshots, routinely hemorrhaged itself on files with extended attributes, despite the fact that this was APPLE'S OWN VERSION. Ever try running a shared AFP/SMB sg3 server volume on an Xsan? You can't. Surprise, surprise: Xsan is not HFS+ formatted. It uses CVFS, which is a Quantum/ADIC filesystem. Why? Because Xsan is simply a rebadged sql server varchar unique words version of StorNext! So your AFP daemon will spew Mac metadata everywhere which your SMB daemon will not honor, thus totally corrupting your data. Fuck you, Apple. Seriously. You can't modify MacOS X Server files on the command line. Oh, well, you could on 10.4 server; then lock the file and hope you never had to use the GUI again. But on 10.5, even that does not work-- it still overwrites your file; smb.conf is a perfect example. I figured, OK, maybe I should set the immutable flag, but then I started thinking... WHY am I using Apple products again? Apple's enterprise support blows. Sometimes you get an answer, but no matter what, expect a long wait while people on the other end decide whether they want to bother answering your question or not. Want to follow-up on a bug that someone else reported? Good luck. Their bug reporter is terrible. Would it be so hard to run Bugzilla? Apple needs to get their shit together. Unless your needs are VERY straightforward, even 10.5 does not solve them. I'll admit that 10.5 has a much nicer server admin GUI, but it does not overcome the problems with the platform. We've moved all of these services to CentOS machines. By contrast, getting them working reliably was a walk in the park. Equivalent hardware (hotswap RAID (SCSI, I should add), redundant PSU, fiber channel card, GigE, dual processor machines in a 3U form factor (SuperMicro chassis) come out to about $1k less than an Xserve, on average. And when a part dies, like a backplane, I can BUY THAT PART. With Apple, you have to buy an entire parts kit, which comes with stuff you may not want. We now run Samba and Netatalk on CentOS on generic server hardware, connected to our StorNext network. There may be better SAN stuff out there than StorNext (in fact, their licensing department leaves much to be desired-- do they even know how to use their own product?), but we already had a lot invested (three Xserve RAID cabinets). Things run great now, and with the Linux version of BRU, our full tape backup [inexplicably] finishes 9 hours earlier (used to take 60 hours, now takes 51). My advice: Apple makes some nice desktops, but their server stuff is only for novices. I went into the experience very optimistic about Apple's stuff, but now I have a very bitter taste in my mouth. Reply to This Parent Re:Mac OS X ...Server? (Score:5, Informative) by Anonymous Coward on Tuesday July 29, @04:19AM (#24381795) AD-binding is not straightforward. Apple really wants you to run an OpenDirectory, as this allows you to both manage Apple desktops and do single-sign on. If you just want to allow AD authentication on your MacOS X servers, good luck. You're in for a bugfest, with partially-working GUIs and many, many quirks. Of course with Mac OS X Server 10.5 you can use augmented accounts and run that OD if you desperately think you need to. Depends what services you're trying to run whether you need to or not, some services just need more directory information than AD can provide. #1 quirk being: you can't do cross-domain authentication, even if those domains are trusted. This free ftp server filezilla was a showstopper for us. Yes you can. That's what the pretty little checkbox labelled "Allow authentication from any domain in the forest" does. Nifty eh? There is only ONE backup application for Xsan that is both a) reliable, and b) has a reasonable support contract. We tried Retrospect (total POS), Veritas (ridiculous wait times for support), and finally, BRU. BRU has a decent product, but the number of MacOS bugs that plague this application make it unreliable and frustrating to use. OSS applications don't handle the numerous HFS+ corner cases. Rsync, which we used for snapshots, routinely hemorrhaged itself on files with extended attributes, despite the fact that this was APPLE'S OWN VERSION. There are other backup applications available, I'm not going to go into them now. Rsync can be made to work fine with Mac OS X, depends on your needs of course. Are you trying to backup HFS+ or Xsan? Or can't you make up your mind where your data is? If you're backup up Xsan then HFS+ corner cases are pretty much irrelevent given... Ever try running a shared AFP/SMB volume on an Xsan? You can't. Surprise, surprise: Xsan is not HFS+ formatted. It uses CVFS, which is a Quantum/ADIC filesystem. Why? Because Xsan is simply a rebadged version of StorNext! So your AFP daemon will spew Mac metadata everywhere which your SMB daemon will not honor, thus totally corrupting your data. Fuck you, Apple. Seriously. That's right, it's not HFS+. Uhm, duh? A cluster file system needs to be, well, a cluster file system. Fortunately for you you've just discovered that this creates the magic of a "._" file (AppleDouble extra data). Now I've got currently running an Xsan cluster that seems to serve out the same data via AFP and SMB and I haven't had any data eaten. Ever consider that maybe you're doing something wrong? You can't modify MacOS X Server files on the command line. Oh, well, you could on 10.4 server; then lock the file and hope you never had to use the GUI again. But on 10.5, even that does not work-- it still overwrites your file; smb.conf is a perfect example. I figured, OK, maybe I should set the immutable flag, but then I started thinking... WHY am I using Apple products again? Right, smb.conf. Maybe you could just read the file and look for the big comment noting: ; Site-specific parameters can be added below this comment. Maybe you could add your customisations below there like you're told to and be amazed that they don't get overwritten. Reading the documentation, that'd microsoft front page ftp server be a novel idea. Apple's enterprise support blows. Sometimes you get an answer, but no matter what, expect a long wait while people on the other outlook plugin server whs end decide whether they want to bother answering your question or not. I've had great enterprise support including contact with engineering teams to fix specific issues I've had. Maybe you should be nice to your reps instead of abusing them in public forums. Want to follow-up on a bug that someone else reported? Good luck. Their bug reporter is terrible. Would it be so hard to run Bugzilla? Because I know that I want all my confidential data supplied to Apple so they can fix an issue to be public. This just isn't reasonable for any large company. Nor does it make much sense. If you're having a bug yourse Read the rest of this comment... Reply to This Parent Re:Mac OS X ...Server? (Score:5, Informative) by Whiney Mac Fanboy (963289) * <[email protected]> on Monday July 28, @10:52PM (#24379603) Homepage Journal its 500 dollars for a unlimited license, Uhhh? unlimited license? For $500, Apple gives you a 10-client license [apple.com]? and does a hell of a lot more than throw a few OSS solutions into the box. OSS solutions: * Scale up onto hardware Apple can only dream about (talk to Sun or IBM for more info) * Fit into your existing vmware infrastructure. * Don't impose bullshit per-client licensing restrictions. * Don't leave you with a coating of vendor lock-in slime. Sure, if you're a complete Apple shop (hah!), then OS X server is probably a good fit for you, but in server standard product key the real world, its mixed clients (or at least looking in that direction). If your going to comment it helps if you have half a clue what your talking about. Well - at least we agree on this.... Reply to This Parent Re: (Score:3, Informative) by jc42 (318812) Hmm ... I don't think I'd recommend a Mac OSX machine for a server, especially to a small site without technical expertise. When I tried this a couple of years ago, it took me the longest time to figure out why not only that machine, but also a lot of machines in the neighborhood, were so flakey. One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server. If there's already a DNCP server Re:Mac OS X ...Server? (Score:5, Informative) by MarcQuadra (129430) on Monday July 28, @09:58PM (#24378923) Journal OK. I'll start from the beginning. All the 'internet sharing' devices and operating systems (including Windows XP) will fire up a DHCP server on the LAN they're sharing to, that's what internet sharing is, a single device acting as a NAT/RIP gateway for several other machines. DHCP is quite a simple service (too simple if you ask me, given this particular problem), if you -sometimes- get IPs and other times do not, there's probably a contending DHCP server on your LAN that needs to be hunted down and killed. This is netwoking 101. You never plug the 'LAN' side of a NAT device into a LAN that already has a DHCP server, unless you're sure you know what you're doing. Second, regarding the 'case issues'. There is a case sensitive option (that you -can- flip arbitrarily) in HFS+. There are -case issues- if you're doing some kinds of things (CVS checkouts of source directories with colliding names, etc.), but generally nothing that a little understanding wouldn't fix. Why on -earth- you would use HFS at all instead of HFS+ is beyond me. That's trying to install Windows on a FAT16 disk. HFS+ has its strong and weak points, but HFS is a dead -dead- dinosaur. It really sounds like your mac experiences were from the early 10.x days or even the Classic Times of Olde. I've admin'd several OS X (10.3 - 10.5) servers that do printing, file sharing, VPN, directory services, desktop management, web serving, and even Windows Domain Control, and I've never had a problem with anything you're talking about. That being said, I do prefer Linux, but that's just because it's cheap and it runs on anything. Reply to This Parent Re: (Score:3, Informative) by mortonda (5175) ... and that's just exactly the reason people advocate a caseless file system. A folder named templates and another folder named Templates? Are you mad? I'm not really leaning one way or the other wrt caseless fs's, but let's not ask for pain! OS X Server not for critical infrastructure (Score:2, Insightful) by Anonymous Coward This sort of thing is why nobody should be using OS X Server for critical infrastructure. OS X Server is for schools and such that use Macs for everything else, so an Apple server is a natural fit. It seems like Apple is always dragging their feet on security updates, and that alone should cause a major aversion on the part of anybody thinking of deploying their server software into production. Re:OS X Server not for critical infrastructure (Score:5, Funny) by cream wobbly (1102689) on Monday July 28, @07:39PM (#24377399) OS X Server is for schools ...because it's a learning experience? Reply to This Parent Re: (Score:3, Insightful) by bluefoxlucid (723572) OS X Server setup server is for schools and such that use Macs for everything else, so an Apple server is a natural fit. As a hacker, I welcome the concept of hooking up one giant monoculture. Chances are if you misconfigure X or fail to patch Y on my entry point, I've got the same back door all over your whole network. As a security consultant... who am I kidding, I rape the network and give you a stack of paper saying you should have relied on Unix-like/Windows/Apple boxes by purpose, citing specific software supported on each (i.e. Apache vs. IIS, php, MySQL vs MS SQL Server); and point out that making one big singly-deplo I guess Microsoft have found the focus of their.. (Score:3, Funny) by Channard (693317) on Monday July 28, @07:28PM (#24377247) .. $500 million 'Why Vista is better than Apple because we say so' campaign. Reply to This Steve Jobs? (Score:4, Funny) by st33med (1318589) on Monday July 28, @07:37PM (#24377377) Maybe because he is sick/out of work is why they can't patch it (They fear their boss might yell at them for patching it without his consent...) OR They are so stubborn that they believe there is and never will be anything wrong with a Mac. OR They are still testing the patch (highly unlikely since it has little interference with how the server functions...) Sure, they can get away with a whole lot of stuff since they aren't a monopoly like MS, but, this is just wrong. Reply to This Automated Email Reply (Score:4, Funny) by Stickerboy (61554) on Monday July 28, @08:11PM (#24377829) Homepage Dear valued Apple customer: We received your message regarding "unpatched Mac OS X Server security hole". We appreciate your business, and we will do everything to address your concerns as soon as possible. Unfortunately, Steve is away from his desk on leave due to health concerns related to his non-lethal pancreatic cancer. He will be happy to fix the problem with "unpatched Mac OS X Server security hole" as soon as he returns to work. Sincerely, Apple Customer Service Reply to This Apple + patches == ohnoes (Score:5, Interesting) by HEMI_426 (715714) on Monday July 28, @08:15PM (#24377863) Homepage As someone that's cursed to administer an OS X Server machine, I have nothing good to say about Apple in general and OS X Server in particular. Apple's history of patching---or, in this case, not patching---stuff has been lukewarm at best and downright abysmal at worst. The Server 10.5.3 update introduced something that causes ClamAV to crash/reboot a Server machine when mail is turned on (since ClamAV is on by default. Nice one. They've had other stellar examples of their extreme lack of QA for their Server software, such as updating their included PHP to a version that was known to break Squirrelmail (the default webmail that comes with OS X Server), even though a fix had been available for months from the PHP maintainers. I'm a huge fan of FreeBSD. I have been doing this OS X Server thing for more than two years now. I went in to it with an open mind, hoping that Apple wouldn't screw things up too badly. I was disappointed. The only things I've learned is that their Server QA is awful, they don't actually use their own Server software internally, their customer service is horrible when it comes to their Server stuff and their Server documentation is awful. I could rant about that for several pages. All of this leads me to believe that Apple really doesn't want to do well in the "server" segment of the market...Which is really too bad, cause they've finally got the hardware side of it to the point where there's not much separating them from most other low-end server vendors. Now, that I've got that all that off my chest, Apple's dropped the ball on the BIND update. This is not surprising. Anyone that's administered OS X Server for any length of time probably feels the same way. It's so bad that I will suppress my OS X experience next time I am in the job market again; I hope to never work with OS X (particularly as a server) again and will do everything in my power to avoid doing so. I'm batting a thousand on persuading people interested in using OS X Server to use anything else...Apple really has to get things together or get out of the "server" market. Reply to This Re: (Score:3, Insightful) by Pfhor (40220) I understand your pain. On the plus side, if you are a python / ruby developer, you have some things to look forward too, as a lot of apple's own components are being written in them, so those installs actually work most of the time. The perl one, not so much. Of course, the biggest limitation to their serious server implementation is that there is not apple provided forum for users to be able to discuss their issues with beta release software. Let alone a publicly searchable bug tracker (right now we search Apple not alone in leaving DNS hole unpatched (Score:5, Interesting) by ericferris (1087061) on Monday July 28, @08:30PM (#24378021) Homepage I have a DSL broadband subscription with AT&T (it used to be a small local company and they got bought by whatever is now called AT&T). I noticed that their DNS was unpatched and I used their support forms to report the problem. The reply came only a few hours later. To quote: "We regret we cannot help you with your WorldNet dialup problem". Huh? So their networking department is not patching critical protocol flaws, and they programmed their answerbots to laugh at us users if we attempt to point out said flaws. Since when does Simon the BOFH work for AT&T DSL support? AT&T network admin? It's a great job if you can get it. Reply to This Re: (Score:3, Informative) by duplicate-nickname (87112) Same here...I am on AT&T DSL service and the DNS servers are unpatched, and they haven't released patches for their 2wire DSL modems which do DNS proxying (hopefully not caching). I've switch my machines to OpenDNS, but I don't know how an ISP the size of AT&T is not taking this seriously. Given the issues this caused with vista... (Score:5, Informative) by plasmacutter (901737) on Monday July 28, @09:18PM (#24378515) Journal Given the issues [theregister.co.uk] this patch caused with vista, i'm not at all surprised they're putting more thorough testing through on this. Apple does not want to lose it's "just works" reputation my slaughtering internet connections on its platforms. Reply to This Re: (Score:3, Informative) by weicco (645927) Given the issues this patch caused with vista Issues? What issues? I'm not having any issues with my Vista. Oh, you must be talking about the issue with ZoneAlarm... But that's easy: no ZoneAlarm, no issues. Re:in case you didnt get the memo (Score:5, Insightful) by Anonymous Coward on Monday July 28, @07:26PM (#24377217) What are you smoking? Apple has always been evil. Extremely litigious and questionable methods. Reply to This Parent Re: (Score:3, Informative) by DadLeopard (1290796) They got on my bad side way back when they took DRI to court over the look and feel of GEM (Graphic Environment Manager), that is why You have Windows on the IBM type PC today instead of GEM and Bill Gates is a Billionaire! Re:Slashdot and Apple Schizophrenia (Score:4, Interesting) by Shados (741919) on Monday July 28, @07:53PM (#24377603) If all you had to do was keep a constant opinion, what would be the freagin point of posting at all? Bunch of zombies that all say the same thing, oh yeah, very constructive (though its ALMOST what server noise-reduction it is anyhow). Whats important is how constructive what you say is and if it adds value to the discussion (and yes, being funny does add value). The system is broken, but not as much as one would think... Most the moderations I get on pro-Windows post get modded up (and those that get modded down, half of the time its because I was not constructive and only ranting), on such an anti-MS web site... so its not completly hopeless. Reply to This Parent Re:Hey, I just wrote about this (Score:4, Insightful) by Ifni (545998) on Monday July 28, @07:55PM (#24377623) Homepage I wonder if they use OSX server for their public DNS and how much egg they would have on their face when some script kiddie used Metasploit (http://www.metasploit.com/) to "test" their servers for them. No targeted exploit indeed. Of course I suspect they pay some actual professionals to manage their DNS, and that these professionals use a proper server OS and have patched the DNS hole. But still, a script in the wild that affectes the security of their servers certainly exists, on a very popular vulnerability assessment tool no less, and should be cause for concern on their part. The fact that it apparently isn't just shows how seriously they take their server business. Reply to This Parent Re:Hey, I just wrote about this (Score:5, Insightful) by Pfhor (40220) on Monday July 28, @07:55PM (#24377629) Homepage this is related to Apple's OS X Server product, which runs DNS (bind in fact), and many mac businesses do in fact use it, if even as a local DNS cache (which a simple fix now would be to configure their boxes to us opendns). The bigger ibm print driver windows server issue is this is a pretty big deal on the security front, all of the businesses that apple has to compete with in the server space (especially in the eyes of enterprise IT), have had a fix and a public statement about it out the door. Apple is the big unix vendor missing off the list, and has not cisco tftp server even made a public statement as such to inform it's users about the issue. Not exactly the best way to talk about how secure their products are (client and server). Of course, they still haven't gotten around to fixing the ARDAgent.app vulnerability from a few weeks back either. Reply to This Parent Re:Hey, I just wrote about this (Score:5, Insightful) by Burdell (228580) <[email protected]> on Monday July 28, @09:18PM (#24378517) There are many ways to get to a "protected" caching resolver. Users on the trusted network browse the web, send email, IM, etc.; all of those require DNS lookups, and many can be subverted to cause lookups of arbitrary names. In any case, trying to excuse Apple by saying "not too many are affected" is crap. They shipped software that is now known to have security issues and it should be addressed. They've known there is a problem for almost 3 months and still have not done anything to protect their customers. If this was Microsoft, Sun, Red Hat, etc., people would be ranting about it, but since it is Apple, it must be okay. Reply to This Parent Re:Hey, I just wrote about this (Score:4, Informative) by mortonda (5175) on Monday July 28, @10:51PM (#24379593) But recall... this vulnerability is only available to someone who has access to the caching server in the first place... No! This attack is simply a flood of false answers to a dns query made by either a client or caching server. They *look* like legit answers that beat the actual answer back. Because the legit answer has to be able to get back to the server, the spoofed ones are able to get there too. The clients are only vulnerable within their own firewalled network; but a resolving server, even behind a firewall, is vulnerable to the Internet at large. Reply to This Parent Re:Apple meet real world (Score:5, Interesting) by sxeraverx (962068) on Monday July 28, @07:59PM (#24377707) apple was never secure. It was just unused. The exact same thing is going ATM with their X server. Not so much a security flaw (though it might be) as much as a major bug. If you send too many events at once (not insane amounts, just a lot) it simply crashed, bringing down all the X apps with it. Upstream was fixed over a year ago, they just refuse to roll out an update. I guess it's an attempt to make debs port to coco/carbon/whatever-it's-called, but for some of us, that's just not an option. More specifically, it's a program developed by part of a university maximum character sgi server bioinformatics lab, and we just don't have the manpower or the grant support to do it. So we're either stuck with only supporting Linux, trying to find a wrkaround, or just ignoring it and hope it doesn't happen to often. The last option is what we ended up choosing. Reply to This Parent Re:Apple meet real world (Score:5, Insightful) by toddestan (632714) on Monday July 28, @10:45PM (#24379513) PSP was hacked very early. installing ffmpeg on server side Sod all sales, definitely fewer than Macs. iPhone was hacked very early. They have fewer users than the Macs. GP32 (gamepark - a handheld game console) was hacked. Hasn't sold anywhere near what Macs have. Xbox (original) was hacked very quickly, as was playstation, and even gamecube, and even sega dreamcast. People will hack anything, just to say they did. Kids brought up on Macs at schools who don't have stupid anti-apple biases will try to hack their school computers. Or maybe even if they do have anti-apple biases. But nobody has yet been able to hack a Mac convincingly. Wow, talk about a stupid argument. The common thing with all of those you listed is they were "hacked" so you could load your own software/games onto them. Ignoring the fact you can do that already in OSX, people have been hacking Macs to run Windows/Linux/whatever for years, and this was before Apple made it easy to do so. Similarly, people have been hacking Apple's OS to run on non-Apple hardware for years too. So if that's your definition of "hacking", then there have been "hacks" out there for Macs for decades. Obviously none of this has anything to do at all with network security, so I don't even know why you brought it up. Reply to This Parent Re:Is it really so hard? (Score:5, Insightful) by MrNaz (730548) on Monday July 28, @08:56PM (#24378295) Homepage Personally, the brazen "stomp everywhere and expect the world to bow to their whims" attitude reminded me of Microsoft in the mid 90s. Now, complacency with regards to security confirms it: Apple are following Microsoft's path 15 years after them. It's just a matter of time until geeks wake up and start hating them. Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie. Everyone wanted to be Bill Gates back then, he was the noble knight/geek taking on the world and bringing down empires like IBM and DEC with his accessible to all consumer computers. It was only after Linux came on the scene that geeks turned on him like the fickle fashionistas that they claim they aren't. Face it, Apple, like Microsoft before the, are just the flavor of the month. Reply to This Parent Re:Is it really so hard? (Score:5, Insightful) by ktappe (747125) on Monday July 28, @10:37PM (#24379423) Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie. Fail. I was a vocal opponent of Windows 3.1, calling it the abomination it was. Also, you seem to think there are no geeks hating on Apple now. I'm not sure what blogs/newsgroups/boards you read, but if you can't find plenty of anti-Mac/Apple hate, you must have some pretty good filters. Reply to This Parent Get More Comments Reply Search The nice thing about egotists is that they don't talk about other people. -- Lucille S. Harper All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2008 SourceForge, Inc. home awards contribute story older articles sourceforge, inc. advertise about terms of service privacy faq rss |
