|Home » Industry Watch » The Technological
Bias? Who? Where? Us?
The Kaminsky DNS flaw is all but completely patched. Around the globe. With one company conspicuous in their absence.
Noted computer gurus Glenn Fleishman and Rich Mogull explain.
Apple was clearly distracted by the largest set of launches in its history: the iPhone 3G, the iPhone 2.0 software, the .Mac-to-MobileMe transition, and the App Store.
So true - and it's a good thing they chose to focus on that stuff - otherwise something could have gone wrong.
The duo go on to reveal some of the background the rest of the world's already aware of.
Kaminsky accidentally discovered a new technique attackers could use to compromise DNS servers, allowing ne'er-do-wells to convince servers to accept an incorrect IP address for a given domain name from a source other than the one that properly controls information for that particular domain. (This is called cache poisoning.)
After determining this flaw was legitimate and widespread, Kaminsky immediately contacted major vendors - operating system makers and DNS software developers - and other DNS experts who met secretly at a meeting hosted on the Microsoft campus in March 2008.
Aha. So this flaw was so dangerous Kaminsky gathered security experts from around the world to a series of secret meetings - and who, it should be added, came upon a two tier solution, the first tier of which was to obfuscate the nature of the real fix in tier two. And it was all to be kept super hush-hush.
Because of the super gravity of the situation.
Yet Apple don't patch. The Oliver Twists of TidBITS hold out their bowls, wait for the patch everyone else already has, and rather than snapping out of the spell go forward by providing their own DIY solution. Mac users who pride themselves on the user friendliness of their hallowed platform are now encouraged to apply this solution - a BIND patch - themselves. The patch Apple still haven't found time for.
The other week Charlie Miller spoke to the media again. He was aghast the exploit he'd found in WebKit had been patched only in the computer OS and not for the iPhone. As details emerged it was found Charlie alerted Apple and provided the exploit - but Apple hadn't bothered testing thoroughly and so summarily dismissed it.
And when Charlie spoke to the media about the matter he got a nastygram from Apple.
Back on track: what happens to OS X users? Are they not to have the DNS patch Kaminsky and others worked so diligently to achieve? Unbelievably enough there are those who think it's all #1) malarky; #2) FUD; and #3) anti-Apple bias. Yes it's true. The following exchange comes from the same source; and it should be pointed out the individual most out in left field claims to be a 'security expert'. Grab a flight bag.
DNS cache poisoning is older than Jesus. Why do you think this is special? Sent from my mobile device; please forgive any typos.
I think there's a certain amount of hyperbole going on here.
Right. This makes sense to me. That's why I'm confused about the headline, which feels fairly melodramatic. I guess it's good fun to bash Apple these days on security.
Still, it's always frustrating, as an old school security practitioner, to see the media blow things out of proportion simply for FUD purposes. Disappointing, but I should be used to it by now.
This could be a parody and then it would be almost funny. But it's not a parody. Ambitious students in abnormal psychology should do their doctorate work on Apple fanboys. It's a rich field with a more than adequate supply of test subjects.
We at Apple take security very seriously - much more so than the other computer companies.