For the integral story of Mac OS X , Apple has had a grand time poke fun at Microsoft about a raft of things , but Cupertino has made a point of getting its licks in over Redmond ’s track record with security . Themalware job , the effortlessness with which Windows XP was assail via Internet Explorer and other vectors — oh , what a sport time Apple had .
However , through the Windows XP and Windows Server 2003 lifecycle , a funny affair happened . Microsoft really mind to the criticism , took it to heart , and start not justsayingit carry security measure seriously , butshowingthat it did . We can reason about how plaguy some of the carrying out have been , but the fact is , Microsoftlearned . While the idea of a “ patch Tuesday ” may seem singular to a home exploiter , for a meshwork administrator , having advance notice of approaching patches is a good thing .
But what about Apple ? Well , on a very basic point , Apple got favourable . The relish of BSD Unix have always had a good level of surety , Unix itself is design moderately well from a security POV , and , up until Mac OS X 10.4 , Mac OS X was not capable to really handle gamey - end host roles . So , Apple ’s default option stance of “ We ’ll secern you what you need to bang , when you need to know it , and you ’ll like it ” was n’t a big deal . But it was n’t in effect . When you report a security issue , you want — no , youneed — open communicating . Getting tell apart “ We ’re looking into it ” or “ It ’s already been reported ” , or bad , “ Apple takes security in earnest , but we do n’t comment about unreleased product ” is … well , frustratingis the best word that I can use in a phratry issue .
A sight of people in my agate line of work had been predicting that , at some dot , Apple ’s position towards security , and the company ’s opaque nature were go to finally bite it in the keister — and hard . It was just a matter of when , but when it happened , it would put a severe scathe on the goodwill Mac OS X had created over the years .
Welcome to “ when . ”
Asreported by Rich Mogul and Glenn Fleishman in TidBits , ( and hundreds of other seed around the Internet ) , security measures investigator Dan Kaminsky accidently discover a technique wherein an assaulter could compromise DNS server ( part of the crucial functionality of the Internet ) via what is experience as Cache Poisoning . This proficiency allows an attacker to change , or “ poison ” the cache where DNS servers store the data point that allow you to use “ www.apple.com ” to get to 17.112.152.32 .
So have ’s say , you want to get an update to an app . You get in in the URL , i.e. “ http://www.goodvendor.com/ ” , and connect to that site to download the update . The problem is , the DNS server you use — say , your ISP ’s or your own — has had its cache “ poison ” , so while you explicitly type in the proper universal resource locator , you end up at some other waiter ; instead of downloading the correct , safe update , you download a trojan horse horse and install it , because you think it ’s good . While attacks on DNS host have been around for a while , this vulnerability made such attacks far leisurely to pull off than they previously had been .
This kind of flack makes most of the ways you detect phishing sites useless , because the URL will be the right one , not some “ almost ” right URL . You ’ll just get re - routed to the ill-timed place . This is not theoretic either — there are participating effort for this justly now .
Considering that everyone using the cyberspace relies on DNS in a style that is the very definition of “ Mission Critical ” , this vulnerability and the relative ease with which it can be exploited , Kaminsky , and other people ( like Paul Vixie , who helped create BIND , the software program that fairly much every Unix - ground O uses for DNS ) direct immediate action . Kaminsky , Vixie , and others , including the United States Computer Emergency Response Team ( CERT ) , privately apprise all affect seller , including Apple , by May 8;Apple was specifically notified on May 5 . They then waited two month until July 8 to publicly advise the relief of the Internet biotic community .
By July 8 , guess who was the only OS trafficker to not have patched their DNS ? If you guessed “ Apple , ” you ’re lamentably right . To impart to the frustration , question by quite a few Apple customers only lend the standard Puerto Rico boilerplate .
consort to everyone I ’ve talked to about this , the patch itself is superficial to apply . The only fuck complication is that it may slow down DNS for heavily used waiter .
As I typewrite this on Thursday , July 31 , there ’s still no patch from Apple . Even if one total out just after this clause is post , it would still be almost three months since Apple was first apprize of this effect . In that time , Apple has been the only marketer not to release a speckle or clearly communicate the reason for the delay to its client . Unless you have back - channel contacts at Apple , you have only been tell the standard “ Apple takes security badly ” strain , if you were told anything at all .
There is no level on which Apple ’s deportment here is satisfactory . It speaks of a certificate - exposure limited review operation that is break . It shows that either Apple is completely incognizant of what is break down on with the software it bases its OS on , or that the fellowship knows , and just does n’t care , because after all , iTunes users are get problems . Even if the speckle is free today , that ’s not pass away to be enough . Because if the underlying operation is not fix , this will pass off again . And again . And keep happening until it causes Apple enough pain that it finally prepare the process .
Apple need to not only unloosen the piece , but issue a public mea culpa that apologizes , and outlines the mode the process(es ) that allowed this to happen will be fixed . If that does not happen , then as an IT professional , I will be required by my own professional value-system to start a serious inspection of any uses of Apple computer hardware on my web that faces the public cyberspace , and see if those machine can be replaced by a similar product from another vendor that not only claims to take security badly , but actually takes the actions to show it does . I would advocate that anyone else in my personal credit line of work do the same .
In the last few months , Apple has , by inactivity , secretiveness , and high-handedness , shredded the security department grace it had earn over the last few old age . It will take year to recover that goodwill . Ask Microsoft how hard it is to regain goodwill once it ’s go .
The worst part of this is that had Apple not “ been Apple about it ” , the integral problem would have been a non - publication . Instead , it ’s made a mockery of Apple ’s claims of being reactive to security measures issues . I sincerely hope the Windows team is trash - speak the heck out of Apple and OS X over this , because in this instance , it ’s perfectly justified .
[ John C. Welch is a older system administrator for The Zimmerman Agency , and a foresightful - fourth dimension Mac IT pundit . ]
