DNS Issue Just Fixed in Windows

[lugesm]

This is waaaaay beyond my technical understanding, but I just read an article about a major security issue recently fixed in Windows. I know this is true, because I have a notebook running Vista, and I just received and loaded the fix this morning.

Does this affect Apple machines running Safari?

Thanks,

 

[r.j.s]

If you are running windows through bootcamp or virtualization, then it probably does. Install the fix and you'll be fine.

 

[lugesm]

If you are running windows through bootcamp or virtualization, then it probably does. Install the fix and you'll be fine.

Robert,

Thank you for your comment. I am running WinXP under Fusion and Mac OSX 10.5.4.

Just checked my WinXP update history, and I found that the system had automatically installed three (3) security updates for WinXP yesterday while I wasn't looking.

I presume your comment suggests this DNS issue does not affect a Mac running Safari ? ? ?

 

[lugesm]

The following is a quote from the news item on the DNS security issue:

"The issue, discovered in the domain name system (DNS), would allow a hacker to gain access to domain name records and redirect traffic to an alternate location. That would mean trying to access something like your bank's Web site could take you instead to a malicious page designed to steal your information."

From this description, it appears the problem affects all browsers and OS.

 

[Amdahl]

Yes, 10.4 & 10.5 are both vulnerable, although not as badly as Windows was, I think.

 

[r.j.s]

Yes, 10.4 & 10.5 are both vulnerable, although not as badly as Windows was, I think.

Do you have proof? If this is true, then doesn't that mean that it is a DNS problem, and there is nothing ANY user can do about it?

 

[Amdahl]

Do you have proof? If this is true, then doesn't that mean that it is a DNS problem, and there is nothing ANY user can do about it?

Yes, it is a DNS problem. That's why patches are being released by every software maker.

For 'proof', I simply watched the DNS requests and observed the source port is not randomized, which is what the fix (at least the initial fix) does. The statement about the flaw hints at some undisclosed complexity that may eventually have to be addressed by software makers later on in followup patches.

 

[r.j.s]

So we all have to be careful between now and the time things are patched.

 

[Amdahl]

So we all have to be careful between now and the time things are patched.

Well, it is actually a bigger problem with your ISP. If they haven't patched, you've got a real problem.

There is a tester at www.doxpara.com Click 'Check My DNS'

 

[lugesm]

Does anyone know if Apple incorporated some kind of protection in the recently released OSX 10.5.4?

When my Windows update was released two days ago, MS was specific in stating that they had addressed the DNS problem with that patch.

 

[r.j.s]

It's not really an apple problem to patch - its a problem with the root domain name server translation system - which means that every internet connected device is potentially vulnerable. We have to wait for the people that run the DNSs to fix it.

Before entering any passwords, make sure the address in your browser's bar matches the one that is actually for that site.

 

[Amdahl]

It's not really an apple problem to patch

Apple needs to patch it; everybody does.

 

[lugesm]

Apple needs to patch it; everybody does.

Has anyone seen an Apple comment regarding this issue?

 

[tratclif]

This is a DNS server issue, not a client machine issue.

A DNS server turns "www.macrumors.com" into the 74.86.132.whatever form that your computer understands. Normally when you type in www.macrumors.com, your computer sends a request out somewhere in the internet to a DNS server, which sends the numerical IP address back to you. The security threat is a complicated attack that "poisons" the DNS server so it has false information (so the looking at the url won't help, since the attack isn't happening on your machine). The threat is in the definition of how DNS works, so it affects every machine with every operating system that is set up as a DNS server. The threat is still a theoretical one though, no one is trying to exploit it yet.

Apple never comments about security updates before they're posted, but they are in the list of manufacturers that have committed to patching the problem soon. Since there probably a whole lot of people running Mac OS on their DNS servers, and since Apple is a bit distracted on rolling out stuff this week, I'd expect it by Friday.

 

[tratclif]

[double post]

 

[Amdahl]

This is a DNS server issue, not a client machine issue.

You are incorrect. The threat is largest if your DNS server is not patched, but the problem affects clients just the same. That's why Windows was patched Tuesday.

 

[r.j.s]

This is a server issue, but it doesn't matter whether the servers get patched or the clients. Somebody needs to get a fix out.

 

[Amdahl]

This is a server issue, but it doesn't matter whether the servers get patched or the clients. Somebody needs to get a fix out.

And you're incorrect as well. The problem affects clients & servers, each individually. The threat to clients is larger if they are using an unpatched server.

 

[lugesm]

What worries me:

With all the dishonest, devious, and talented hackers out there; you can bet that some of them are working feverishly to exploit this now-widely-known opportunity.

My Windows laptop received a patch on Tuesday, but we still haven't heard from Apple.

 

[lugesm]

. . . . . . . . . another day goes by, and we still have heard nothing from Apple on this critical security issue.

 

[paulmoscow]

Windows XP has a system service called "DNS Client," which in essence is a mini DNS server. It's recommended to disable the service ASAP because of a waste of resources and doubtful benefits.

Are you sure Mac OS has something similar? Also take notice that Vista is NOT vulnerable to this issue.

 

[lugesm]

Windows XP has a system service called "DNS Client," which in essence is a mini DNS server. It's recommended to disable the service ASAP because of a waste of resources and doubtful benefits.

Are you sure Mac OS has something similar? Also take notice that Vista is NOT vulnerable to this issue.

Hello Paul,

As I stated in the opening post, this is way beyond my level of Mac expertise. So, I am not at all sure how vulnerable Mac is to this problem. Reading all the above posts, there seems to be some confusion with other users as well.

I just wish that Apple would either state that the Mac is not at risk; or they are are working on a patch to protect users. Silence from Apple, in the face of all the public comment on this issue, is not reassuring.

 

[ToastyX]

You are blowing this problem out of proportion. Unless you're running your own DNS resolver, this is not something you need to worry about on your end. A hacker cannot exploit you directly. The only interaction your computer has with DNS is between your computer and whatever DNS servers you're using, most likely your ISP's. If those servers return bad answers, there's nothing you can do other than use other DNS servers.

 

[gnasher729]

Hello Paul,

As I stated in the opening post, this is way beyond my level of Mac expertise. So, I am not at all sure how vulnerable Mac is to this problem. Reading all the above posts, there seems to be some confusion with other users as well.

I just wish that Apple would either state that the Mac is not at risk; or they are are working on a patch to protect users. Silence from Apple, in the face of all the public comment on this issue, is not reassuring.

Here is what would happen if an attacker used this attack successfully: Lets say you type "www.macrumors.com" into your browser. The browser asks the operating system "where is www.macrumors.com"? The operating system asks a DNS server somewhere in the world. That DNS server might be hacked and return where "www.evilhackers.com" is instead. There is no way that the operating system can figure out it was given the wrong place, so in the end your browser connects you to the "www.evilhackers.com" site.

There is nothing that the browser (Safari, Firefox, Internet Explorer) or the operating system (MacOS X, Linux, Windows) can do about it. Nothing at all.

The only situation where MacOS X or Windows would need a fix here is if you run a DNS server on MacOS X; that DNS server would need to be fixed (not for your safety, but for other people's safety) or on Windows. I don't know if a DNS server is part of MacOS X server, but there is none in the normal MacOS X version that you are using, so as far as normal end users are concerned, there is nothing that Apple can do or needs to do.

The reason why very little information got out about this matter is this: The problem wasn't in the design of some DNS server, but there was a hidden fault in the design of the DNS protocol itself. That means a DNS server that is absolutely bug free and works exactly according to spec would still be vulnerable. What had to happen was that the DNS protocol itself had to be changed, that is the rules how DNS servers are supposed to work. And the time between telling anyone about the problem and changing all DNS servers had to be made as small as possible. So everyone had to keep quiet about this and then about 80 different makers of DNS server software changed their software simultaneously. And the code for this change had to be perfect first time round, because if DNS servers don't work, the whole Internet doesn't work.

But now the problem is fixed, so there is very little need to worry about it.

 

[lugesm]

The reason why very little information got out about this matter is this: The problem wasn't in the design of some DNS server, but there was a hidden fault in the design of the DNS protocol itself. That means a DNS server that is absolutely bug free and works exactly according to spec would still be vulnerable. What had to happen was that the DNS protocol itself had to be changed, that is the rules how DNS servers are supposed to work. And the time between telling anyone about the problem and changing all DNS servers had to be made as small as possible. So everyone had to keep quiet about this and then about 80 different makers of DNS server software changed their software simultaneously. And the code for this change had to be perfect first time round, because if DNS servers don't work, the whole Internet doesn't work.

But now the problem is fixed, so there is very little need to worry about it.

gnasher,

Thank you for the great explanation. I am fairly new to the Mac, but have 15+ years on PCs. Naturally, any talk about a vulnerability that could potentially direct my financial or personal information to a hacker site is alarming.

With your last comment " . . . . the problem is fixed, so there is very little need to worry about it." I feel better. Think I'm going to have a beer now.

Thanks again for your comments.

Regards,
L