Is this a Mac threat also?

[Luis Ortega]

I ran across this article today and had not heard anything about it on Mac sites, so I was wondering if this is something we need to worry about and whether anyone with a Mac has heard anything or tried to apply the patch that is mentioned.

The whole article is at:
http://www.breitbart.com/article.php?id=080709124916.zxdxcmkx&show_article=1

Computer industry heavyweights are hustling to fix a flaw in the foundation of the Internet that would let hackers control traffic on the World Wide Web.
Major software and hardware makers worked in secret for months to create a software "patch" released on Tuesday to repair the problem, which is in the way computers are routed to web page addresses.

"It's a very fundamental issue with how the entire addressing scheme of the Internet works," Securosis analyst Rich Mogul said in a media conference call.

"You'd have the Internet, but it wouldn't be the Internet you expect. (Hackers) would control everything."

The flaw would be a boon for "phishing" cons that involve leading people to imitation web pages of businesses such as bank or credit card companies to trick them into disclosing account numbers, passwords and other information.

Attackers could use the vulnerability to route Internet users wherever they wanted no matter what website address is typed into a web browser.

Security researcher Dan Kaminsky of IOActive stumbled upon the Domain Name System (DNS) vulnerability about six months ago and reached out to industry giants including Microsoft, Sun and Cisco to collaborate on a solution.

DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of websites.

On Tuesday the US Computer Emergency Readiness Team (CERT), a joint government-private sector security partnership, issued a warning to underscore the serious of so-called DNS "cache poisoning attacks" the vulnerability could allow.

"An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services," CERT said.

"Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control."

"People should be concerned but they should not be panicking," Kaminsky said. "We have bought you as much time as possible to test and apply the patch. Something of this scale has not happened before."

 

[Raid]

From what I understand of the article this is a problem / vulnerability with the way addressing is handled by servers that direct the traffic of the internet. It's not really a Mac or PC issue, but rather an issue for those who make up the protocols used to direct traffic on the web (like CISCO).

 

[BlakTornado]

It can effect any computer that's DNS doesn't have the patch.

 

[hagjohn]

From what I understand of the article this is a problem / vulnerability with the way addressing is handled by servers that direct the traffic of the internet. It's not really a Mac or PC issue, but rather an issue for those who make up the protocols used to direct traffic on the web (like CISCO).

Not a real good source, but...

Microsoft joins ‘patch DNS now’ chant; Apple patch missing

According to Rich Mogull, Apple is also among the tardy vendors:

Apple has yet to patch the vulnerability which affects both Mac OS X and Mac OS X Server. While individual computers that look up DNS are vulnerable, servers are far more at risk due to the nature and scope of the attack.

Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date.

All users of Mac OS X Server who use it for recursive DNS must immediately switch to an alternative or risk being compromised and traffic being redirected. Installing the above-mentioned BIND should be relatively trivial for anyone who can compile software at the command line. The Mac community could take this up if someone created a compiled version of BIND 9.0.5-P1 and distributed it for simpler installation.

With active exploit code available in a common attack tool, it is imperative that Apple fix this vulnerability. Due to their involvement in the process and the ability of other vendors to fix their products in a timely fashion, it’s hard to imagine any possible justification for Apple’s tardy behavior.

 

[Raid]

Not a real good source, but...

Microsoft joins ‘patch DNS now’ chant; Apple patch missing

Yeah I just saw this on MacNN, so I was half right. For most regular users this is not much of an issue, but Apple is facing criticism for not getting off their butt!

While BIND was only patched on July 8th, Apple has still had weeks to incorporate this into Mac OS, says Mogull. ... Kaminsky notes however that relatively few people run BIND on Mac OS X Server, and that those who do may not need Apple to "hold their hand" in patching BIND themselves.

Maybe Apple is working on getting MobileMe stable first. Ok that was a cheap shot, sorry Apple