EDN Senior Technical Editor Brian Dipert exposes, analyzes and
opines on diverse topics in technology. Follow the Brian's Brain Twitter feed at www.twitter.com/BrianzBrain.
Advertisement
Profile
RSS Feed
-
Add this blog to your RSS newsreader!
Recent Posts
- Google's Chrome O/S: A Fundamentally Flawed Idea That Gets Way Too Much Positive Press
- Google's Chrome O/S: Behold The Virtual Machine Bits
- 802.11n: Another Tangible Demonstration Of A Wireless Range Limitation
- Thick-Air ATSC: A Dearth Of Reception Leaves Me Feeling Uneasy
- Google's Chrome O/S Source: This Time I'm Serious
- Software Foibles: Once Again The Timestamp Causes Troubles
- Analyzing Nokia's Business: E71 Shortcomings And Unclear Next Steps
- Analyzing Nokia's Business: Past Performance Is No Guarantee Of Future Success
- Assessing Future Computing Needs: A Compelling Series
- iPhone Hacks And Security Risks: Whaddya Know, Apple Was Serious
Recent Comments
- tresevevy on Nintendo's Wii: Privily, Why So Rare Art Thee?
- tresevevy on Nintendo's Wii: A Long-Term Dust-Magnet 'Faddy'?
- tresevevy on Nintendo's Wii: Privily, Why So Rare Art Thee?
- tresevevy on Nintendo's Wii: A Long-Term Dust-Magnet 'Faddy'?
- tresevevy on Nintendo's Wii: A Long-Term Dust-Magnet 'Faddy'?
Most Commented On
- Sigma SD14 Dissatisfaction: Finally Believe Me, Foveon Fanboys? (119)
- Nintendo's Wii: Privily, Why So Rare Art Thee? (90)
- Canceling Sirius: So Frustrating, It's Making Me Delirious (84)
- Windows Vista: What's With The Negative Dogmata? (79)
- 2012: The Year Of Looming Solar Disaster, When Civilization Devolves? (60)
Archives
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
By Category
- Convergence (2)
- Digital ICs (1)
- ESC (1)
- Multimedia (2)
- Opinion/Analysis (1)
- Peripherals (1)
- Semiconductors (1)
- Show Daily Report (1)
Consumer Electronics Design Articles
- From magnetic to solid state, spin-free: What a long, strange storage trip it’s turning out to be
- EDN on Consumer Electronics: iPhone hacks and security risks
- EDN on Consumer Electronics: The Zune HD: more than an iPod touch wanna-be?
- The Zune HD: more than an iPod touch wanna-be?
- EDN on Consumer Electronics: Deep packet inspection optimizes mobile applications
- More...
Blog
Wednesday, August 6, 2008
The DNS Vulnerability: Apple's Irresponsibility And OpenDNS's Utility
Aug 6 2008 9:32AM | Permalink |Comments (5) |
Consider me disappointed, but not necessarily surprised. As I mentioned two weeks ago, Apple's OS X (by virtue of its BSD Unix heritage) employs BIND as its DNS server (and client) code base. In spite of being briefed (along with other BIND implementers) by Dan Kaminsky and his peers early this year on the now-being-exploited DNS poisoning vulnerability, and in spite of being told of the coordinated patch roll-out plan scheduled for July 8th...it took Apple until August 1st to release patches for the server versions of OS 10.4 and OS 10.5 (but not OS 10.3, whose users have yet to receive a formal end-of-life notification from the company). And, believe it or not, the client-side variants of the various OS X versions (including, presumably, the flavors that run inside the iPhone and iPod touch) are (as I write these words on the morning of August 6th) still vulnerable to DNS spoofing. Yes, Apple fanboys, Microsoft patched Windows weeks ago.
If you're an OS X user, therefore, pay particular attention to this post. But more generally, any of you using Internet-centric devices in a mobile manner that involves connection to random DNS servers should pay attention, too. While O/S vendors can (and in most cases, by now have) rolled out their patches, it's up to their customers to install them. And again, not surprisingly, IT administrators are being irresponsibly slow at tackling this critical task. So, since for the foreseeable future you can't be absolutely certain that your ISP-of-the-moment's preferred DNS servers are safe, I recommend you follow the advice offered by Larry M in the comments section of my day-later follow-up post; override the default DHCP-assigned DNS server assignments with hard-coded references to OpenDNS (208.67.222.222 and 208.67.220.220).
To be clear; if you've already verified that your home and office ISPs are patched, then you don't need to do the override for, say, a web browser-inclusive game console that's never going to leave the premises. But portable gizmos such as laptop computers, cell phones and Internet tablets are prime DNS workaround candidates. Larry M's instructions were Windows-specific, but every piece of equipment I've examined in the last few weeks since first hearing of the spoof vulnerability supports (in one way or another) hard-coded DNS server assignments in conjunction with DHCP connections. And specifically regarding cell phones, once you've confirmed that your primary service provider has implemented the patch, you probably only need to worry if you're on a roaming cellular data tether or if you're using a phone that also embeds a Wi-Fi transceiver.
So why am I not necessarily surprised by Apple's lame response to this security crisis? Stay tuned to Brian's Brian for an in-depth expose of the vast (and growing) gulf between the company's words and actions, which I'll hopefully publish tomorrow.Reader Comments
at 8/6/2008 7:16:32 PM, Victor M said:
10.3.x was EOL in 2006.
at 8/6/2008 8:05:07 PM, Brian Dipert said:
Dear Victor M, can you please share with us the official Apple notification of this? The release of OS 10.4 does not automatically mean the EOL of OS 10.3 from a support standpoint. Ask Microsoft, who just ended shipments of (but not support of) Windows XP 7 years after its release
at 8/7/2008 5:37:13 AM, Scunnerous said:
I'm not sure irresponsible fits here. What I'm hearing is that the patched BIND is incompatible with some firewalls, which breaks all DNS resolution and that it is crashing persistently with some versions of the OS. Apparently this has been acknowledged by the authors... that the first patch was a rush job and that a later more stable version will be available, umm, soon.
at 8/7/2008 7:35:26 AM, Victor M said:
Brian, support means two separate things. It's the issuance of updates as you think of it, and also the answering of questions about the product. For the former, Apple released maintenance security updates for 10.3 while 10.4 was the current system. Now that 10.4 is the non-current system, 10.3 will never see another update.
At the same time, if you had a machine that shipped with 10.3 and purchased AppleCare for it, you could get phone support for it three years from date of purchase. The last 10.3 product sold in April 2005. I do suppose that a customer with 10.3 could phone Apple and pay for the privilege to ask a question about it, but practically, the product is EOL and has been for some time and went into maintenance when Apple introduced 10.4.
Apple, for good or bad, is not Microsoft. If Apple had released OS X in a fashion similar to XP, you and I would be stuck using a patched copy of 10.0, the version which was so unsatisfactory that 10.1 was released for $20. Apple's naming convention of a point release for a new major version does confuse those who aren't familiar with it - each major version (10.1, 10.2, 10.3, 10.4, 10.5) does introduce huge sweeping changes with benefits and some incompatibility issues. XP managed to undergo no sweeping changes and still introduce compatibility issues. Apple released 5 major versions of an operating system within the same time frame that Microsoft released XP, Server 2003, and Vista.
Do you really intend to have Apple release security updates for 10.1.5, 10.2.8, 10.3.9 across iMac (Bondi), iMac DV, iMac G4, iMac G5, PowerMac G3, G4, G5, PowerBook G3 Lombard, Bronze keyboard firewire, Titanium G4, Aluminum G4, iBook G3 Dual USB, iBook G4, Mac Mini G4, eMac G4 ? Is this a good use of resources when we know that 30% of users upgrade the OS to current within the first three months and the rest follow shortly after the early adopters have tested the waters?
at 8/7/2008 7:45:48 AM, Brian Dipert said:
Dear Victor M,
I'm not necessarily asking for Apple to continue releasing patches for older OS versions (though I am still running OS 10.3 on my two PowerPC-based Power Macs) but at minimum for formal and public patch EOL notification as do Microsoft and other O/S providers. After all, Apple continued releasing OS 10.3 updates for a time after the release of OS 10.5, leaving users to guess when the updates would/will end. p.s...Huge sweeping changes? I don't particularly consider the OS 10.3-to-10.4-to-10.5 transitions to be at all 'major'...in the Windows world, they're called 'Service Packs'
Post a comment
About Us | Contact Us | Free Email Newsletters | Free Magazine Subscription | Advertising | 
RSS
©1997-2009 Reed Business Information, a division of Reed Elsevier Inc. All rights reserved.
Use of this Web site is subject to its Terms of Use | Privacy Policy