Apple Fails to Fix DNS Flaw
The recent flaw in DNS that was identified by Dan Kaminsky represents a serious threat to the overall working of the Internet for many users. The vulnerability represented such a serious concern that Kaminsky worked with major operating system vendors and DNS software developers to coordinate the simultaneous release of fixes for this flaw. This coordination was coordinated with the help of US CERT. However, for reasons that remain unclear, Apple has failed to deliver a fix for this flaw in their own DNS server in Mac OS X Server. In their article, "Apple Fails to Patch Critical Exploited DNS Flaw" on the TibBits website, Rich Mogull and Glenn Fleishmann detail how Apple has not released a fix for the flaw for the DNS server in Mac OS X. What this means is that any user who relies on a Mac OS X DNS server is at risk of being the victim of DNS cache poisoning and site hijacking. The attack is not new. Cache poisoning has been around for quite a while, but the flaw identified by Dan Kaminsky is faster and more effective than previous flaws in this category.
So what's the risk? The risk is more for the consumer end-user rather than the enterprise user since consumers tend to rely more on their ISP's DNS servers for name resolution. A little side note...as of Friday, July 25th 2008, some of the biggest ISPs -- AT&T, Bell Canada, T-Mobile, and others -- have yet to patch according to this article. Anyway, the risk is that consumers (and some enterprise users) could find themselves being redirected to malicious websites where attackers can try and download malware to their machines or conduct social engineering attacks against the user. This is certainly not a "The sky is falling" scenario when it comes to online banking as the SSL certificate mismatch would be one warning sign that could indicate to the end user that the site they are visiting is not who it claims to be. However, there will certainly be many who could be impacted by this flaw if they did not pay attention to the certificate error or if there was no certificate at all (and the connection wasn't protected by SSL). On the whole this leaves Apple users and those users who depend on Mac OS X's DNS server software in a bit of bind. Hopefully they will move quickly on patching this flaw.
