DNS Issue Just Fixed in Windows

[Amdahl]

Clock ran out... Apple failed to react

OK, this issue is now being exploited.

Where is Apple's patch for OS X Server? Those servers are now useless as DNS servers, unless their (mostly unaware) operators took precautions.

Where is Apple's patch for OS X? Microsoft and a dozen other companies had their patches out two weeks ago.

This failure to act shows that Apple has STILL not gotten the message on security. It took Microsoft years to get the message, but when they did, major changes were made to their OS and they created a Security division that had the ability to mandate responses and fixes from any other product team in the company. Where is Apple's security division, and what is the name of the head of that division?

When will Apple commit to producing security updates for at least five years after the last sale date of an OS?

 

[nerd0795]

Oh Noes!!!!!!

I just asked if OpenDNS is vulnerable but it is not. It's safe from the exploit.

 

[Amdahl]

What is Apple waiting for?

I just asked if OpenDNS is vulnerable but it is not. It's safe from the exploit.

You're not safe if you are running OS X, you're just a less-juicy target. End of story.

A client can be attacked, but it has to be more carefully timed. If an attacker knows you are about to do a DNS lookup (perhaps because you just visited a compromised website, and they know the next DNS lookups you will do to finish loading the page), they can then launch an attack on you in hopes of poisoning the DNS cache that is run by Directory Service.

In fact, using OpenDNS makes you more vulnerable to a client attack, because the response time is statistically more likely to take longer (leaving the window for attack open) than your closer ISP DNS server.

dscacheutil -statistics

 

[antihero]

only dns servers are vulnerable, but clients are more at risk (if that makes sense). the situation being, if i compromise the Apple DNS server and redirect say, all traffic for www.apple.com or www.me.com to my webserver, which is running a tool to compromise peoples web browsers, then that would be an issue.

in another scenario, i could take over something like mail.mac.com or mail.me.com, all of a sudden i'm receiving all email for me.com and mac.com at my mail server

pwned

 

[Amdahl]

only dns servers are vulnerable

This belief needs to end. Clients are vulnerable, completely independent of the DNS server they may be using. Visiting ONE nasty web site could poison your Mac for any websites the hacker wants until you reboot.

OSes like XP & OS X are each running their own internal DNS 'server' that caches addresses, and that can be targeted directly. It isn't as easy, and it isn't as fat a target, but if OS X is not fixed soon, it will become the easiest OS to attack with phishing schemes. With zombie bot networks, tens of thousands of compromised web sites out there, and plenty of time on their hands, it is not as hard as everyone seems to think.

Microsoft saw the risk; why doesn't Apple?

 

[antihero]

yep thats right, i meant 'being exploited' not vulnerable. there are a few exploits out in the wild now (3 public at last count) targetting servers but nothing for clients.. yet.

hopefully apple patch this fairly soon

 

[kaiwai]

yep thats right, i meant 'being exploited' not vulnerable. there are a few exploits out in the wild now (3 public at last count) targetting servers but nothing for clients.. yet.

hopefully apple patch this fairly soon

I have a feeling that we're going to see a security update for MacOS X very soon; and it'll include a lot more security updates than what we know right now. As much as I would love to have this update asap, at the same time I do what them adequately tested so one experience major issues as a result of the update.

 

[lugesm]

Interesting and frightening article on this subject:

http://arstechnica.com/news.ars/pos...ploit-now-in-the-wild-and-having-a-blast.html

 

[applefan69]

I didnt read the entire topic, so this may have already been said. But basically the security issue was hackers could control your DNS.

Your DNS is what makes your computer translate www.google.com into the ACTUAL server IP. After it translates that URL into a server IP your computer connects to that IP and your download the files on the servwer and your browser translates those files into web content (how the internet works in a nutshell)

WELL if the ahcker controls your DNS the hacker theoretically controls which websites you visit (without you knowing) so you'll think your going to some safe website but really you could end up download a virus... or a trojan, or give out some personal info. See the danger in this?

Like you said microsoft fixed this in a seucirty update. I highly doubt this same security flaw existed in OS X seeing as OS X is completely different from windows so OS X most likely does not require a fix.

 

[Amdahl]

Like you said microsoft fixed this in a seucirty update. I highly doubt this same security flaw existed in OS X seeing as OS X is completely different from windows so OS X most likely does not require a fix.

I wish people would read my previous posts. MAC OS X IS VULNERABLE. END OF DISCUSSION.

You might even be vulnerable if you are patched: does your router do NAT? Have you checked to see if it re-introduces the vulnerability? Just to point out how widespread this problem is, even the Nintendo Wii is vulnerable, more so than Mac OS X.

 

[antihero]

pretty much every OS is vulnerable (unless they're using a djbdns derived dns client, which OSX does not). also if you're using a router or firewall that NATs, even if you've patched your machines, the NAT keeps the vulnerability active because of the sequential source ports being used

 

[m1ss1ontomars]

This is waaaaay beyond my technical understanding, but I just read an article about a major security issue recently fixed in Windows. I know this is true, because I have a notebook running Vista, and I just received and loaded the fix this morning.

Does this affect Apple machines running Safari?

Thanks,

The DNS server vulnerability is only pertinent to people who are running a DNS server, and with your level of technical understanding you probably aren't. In fact, if you have to ask this question you probably aren't. If you are...hm...well let's just say I'm glad I use OpenDNS.

EDIT: Here, have a reference. Not quite straight from the horse's mouth, but here you go: http://www.linux.com/feature/141080

 

[hagjohn]

It's not really an apple problem to patch - its a problem with the root domain name server translation system - which means that every internet connected device is potentially vulnerable. We have to wait for the people that run the DNSs to fix it.

Before entering any passwords, make sure the address in your browser's bar matches the one that is actually for that site.

Apple uses Bind, which was patched a while ago, but Apple has not released it.

 

[theyellowdart]

You are blowing this problem out of proportion. Unless you're running your own DNS resolver, this is not something you need to worry about on your end. A hacker cannot exploit you directly. The only interaction your computer has with DNS is between your computer and whatever DNS servers you're using, most likely your ISP's. If those servers return bad answers, there's nothing you can do other than use other DNS servers.

Quoted for truth

 

[hagjohn]

The DNS server vulnerability is only pertinent to people who are running a DNS server, and with your level of technical understanding you probably aren't. In fact, if you have to ask this question you probably aren't. If you are...hm...well let's just say I'm glad I use OpenDNS.

EDIT: Here, have a reference. Not quite straight from the horse's mouth, but here you go: http://www.linux.com/feature/141080

Desktops, laptops, routers and other items can also be vulnerable as well.

http://blogs.zdnet.com/security/?p=1569
http://news.cnet.com/8301-1009_3-9998625-83.html?tag=mncol
http://www.infoworld.com/article/08/07/28/FAQ_The_DNS_bug_and_you_2.html

Quote from last article:

Fortunately, notes Mogull, attacks are much more likely against Mac servers than individual Macs, so though the later are technically vulnerable, "there's no need to panic."

 

[Amdahl]

Apple most certainly should be panicking. Mac users should be irate. As the Evil-grade demo I posted yesterday shows, the threat is already serious for individual computers. A malicious website can attack your Mac and poison you in LESS than 10 seconds, even if your DNS servers are patched.

There really are too many stupid people out there who don't think clients are vulnerable, or even likely to be targeted. They are BOTH vulnerable, and LIKELY to be targeted. Evil-grade proves the bad guys aren't letting the tech-tards do their thinking for them.

 

[lugesm]

Admitting that I am a Mac novice, I could not avoid noticing that there is a wide difference of opinions on this subject . . . . even among more experienced users.

I just wish Apple would at least make a public statement on the subject. The lack thereof is disappointing, to say the least.

 

[theyellowdart]

Desktops, laptops, routers and other items can also be vulnerable as well.

http://blogs.zdnet.com/security/?p=1569
http://news.cnet.com/8301-1009_3-9998625-83.html?tag=mncol
http://www.infoworld.com/article/08/07/28/FAQ_The_DNS_bug_and_you_2.html

Quote from last article:

EDIT: Actually, after thinking about it a bit, and reading up on it a bit more. Apparently OS X and Linux (and an unpatched windows system) are vulnerable to a direct attack if the DNS server they are connecting to also isn't patched. The pay off is FAR FAR smaller though (One computer vs the entire client base of users using the ISP's DNS server) so the odds of a direct attack, as mentioned by your quote, is pretty slim.

 

[Daveoc64]

At the end of the day, it's entirely possible for a computer running Mac OS X to be vulnerable to this attack (as in someone with a MacBook just browsing the internet).

The chances of that happening a very slim however - but it should have been fixed by now. Everyone else got a fix out on the agreed date.

You can take the same approach to any flaw "I'm not likely to be attacked by this bug", but for a company to do that is appalling.

Why would you want to take a chance with security?

More importantly, Apple has failed to deploy the fixed version of BIND (the DNS server built in to Mac OS X server) which is ready to go and Apple simply needs to put the update up for its customers to download. That is terrible when this is probably the biggest security flaw to hit the internet ever.

 

[theyellowdart]

That is terrible when this is probably the biggest security flaw to hit the internet ever.

While I do agree it's terrible... this really is nowhere close to being the biggest security flaw ever. It's really not even that huge of a flaw when you get into the details of it. BUT it is an issue that needs to be addressed...

The fix doesn't even fix the issue either (which is simply a flaw in the design of the DNS protocol) it just makes the success of the attack much much much less efficient.

 

[Amdahl]

Quoted so I can shred it:

You are blowing this problem out of proportion. Unless you're running your own DNS resolver, this is not something you need to worry about on your end. A hacker cannot exploit you directly. The only interaction your computer has with DNS is between your computer and whatever DNS servers you're using, most likely your ISP's. If those servers return bad answers, there's nothing you can do other than use other DNS servers.

This is how it is supposed to work; the problem is, hackers can send their own responses, and if you do it enough times (say 1500, which takes a couple seconds) the hacker sends their response to you before your DNS server responds.

Mac users can be exploited directly.

An evil website (perhaps even an embedded graphic on a forum?) can cause you to hit their own site (they ID you as OSX), their site will identify your IP, and can then send evil attacks to your computer directly for other domains they are going to cause you to lookup, bypassing your ISP DNS server, and poisoning your Mac OS X DNS cache. Until you reboot, you will be directed wherever they want you to go. They can probably even take over the entire .com domain on your Mac, if they wanted to. They can take over the update server names for Apple Software Updates, Mozilla Firefox Update, or any other software updater that you might try to access. Result: Your computer is now theirs.

Doesn't anyone reading this understand this, or see how simple it is? Apple is leaving everyone wide open to this attack, and if I can describe it on here, the hackers can have it up and running last week!

 

[theyellowdart]

Quoted so I can shred it:



This is how it is supposed to work; the problem is, hackers can send their own responses, and if you do it enough times (say 1500, which takes a couple seconds) the hacker sends their response to you before your DNS server responds.

Mac users can be exploited directly.

An evil website (perhaps even an embedded graphic on a forum like MacRumors?) can cause you to do DNS lookups for their own site, their DNS will see you, ignore your ISP DNS (thus keeping it hanging), and can then send evil attacks to your computer directly, bypassing your ISP DNS server, and poisoning your Mac OS X DNS cache. Until you reboot, you will be directed wherever they want you to go. They can probably even take over the entire .com domain on your Mac, if they wanted to. They can take over the update server names for Apple Software Updates, Mozilla Firefox Update, or any other software updater that you might try to access. Result: Your computer is now theirs.

Doesn't anyone reading this understand this, or see how simple it is? Apple is leaving everyone wide open to this attack, and if I can describe it on here, the hackers can have it up and running last week!

Not really... first the amount of time it will take for a successful attack is much higher, and still more random than that. And they can only attempt it on DNS requests. So if they were doing a direct attack onto your computer, it would take thousands of DNS lookups to succesfully infect the user, and even then they would NOT be able to take over entire .com domains, they would only be able to take over specific DNS requests that they succesfully exploit. (the ones that they succesfully crack the auth key with).

For example, if I were to go to www.google.com and that were to be exploited (unlikely but possible) then they can have www.google.com resolve to whatever they want. But if I were to go to www.macrumors.com they would need to exploit that request also by responding before my DNS server does, AND with the proper key. The exploit doesn't have the ability to direct all .com, .org or .net requests to the hackers DNS server. Any unknown DNS requests will still be directed to your DNS server.

This is the reason why DNS servers are being attacked, because if you can infect the DNS servers cache, and have www.google.com on the server point to their own exploited paged, the payout would be FAR larger than targeting a single user.

So, while it is an issue that needs to be addressed, it's not nearly as big as you made it seem.

 

[m1ss1ontomars]

So, while it is an issue that needs to be addressed, it's not nearly as big as you made it seem.

That is exactly the problem with Apple users. They blow everything out of proportion. Battery life 10% under what Apple claimed? Yell and scream. Palmrests getting dirty because you didn't wash your hands? Yell and scream. Screen has intermittent problems that only some people can see? Yell and scream.

Sheesh, if it was Windows/PC users, they'd just admit that their PC or Windows sucks and live with it.

 

[Amdahl]

This is the reason why DNS servers are being attacked, because if you can infect the DNS servers cache, and have www.google.com on the server point to their own exploited paged, the payout would be FAR larger than targeting a single user.

The only effort that goes in to the attempt is writing the software. Once that is done, you just drain bank accounts or install zombie software until the cows come home. It doesn't matter that attacking computers one at a time seems to be more effort than attacking a DNS server. It's just like spam. Zero cost.

So, while it is an issue that needs to be addressed, it's not nearly as big as you made it seem.

I still disagree. I am not describing an attack that comes randomly; I am describing an attack that comes at you once your browser can be directed to an evil site. Once that happens, the site can include IMG links to all the domains they want to poison; hence, they know you are going to be looking those domains up in only a few milliseconds. This increases their chances of success tremendously. They will even know when they succeeded, because your computer will be contacting their evil site to try to load those IMGs.

In fact, I could execute that attack without even making you visit my site. If I include two images in a forum post, one that is real on my evil site that reveals your User-Agent & IP, I can then immediately begin DNS flooding you for the second image you are about to lookup, that might have been a fake link to r112342.apple.com, so that I can poison all of apple.com. Subsequently, your software update will come to me.

If I know you are vulnerable (User-Agent: OS X), and I can make you look up domains (image links on a web forum site), then I can flood you with poison DNS replies and have a high degree of success.

Until Apple patches.

 

[Amdahl]

That is exactly the problem with Apple users. They blow everything out of proportion.

Well, gee, it is only Apple that has failed to patch, in what is the largest coordinated security patch in Internet history.