Yesterday's OS X Security Update patches DNS Flaw!

[sandyman]

QUOTE(sandbox @ Aug 3 2008, 09:28 AM) <{POST_SNAPBACK}>

QUOTE(gunug @ Aug 2 2008, 08:58 PM) <{POST_SNAPBACK}>

Apparently these guys think Apple Clients are still vulnerable:

http://db.tidbits.com/article/9721

I just ran the terminal test on Panther and it's OK.

It will not work if you use a router and use that as your DNS Server.

However the fact that you "Passed" suggests to me that your ISP has patched their DNS servers.

Sandy

Edit

I had a quick think about all this and it might be a good idea to upgrade your router's firmware if you are using one.  I use DD-WRT and they updated their firmware last week.  Sandy gets a kick where the sun don't shine for not checking sooner  

[sandbox]

QUOTE(sandyman @ Aug 3 2008, 02:28 PM) <{POST_SNAPBACK}>

QUOTE(sandbox @ Aug 3 2008, 09:28 AM) <{POST_SNAPBACK}>

QUOTE(gunug @ Aug 2 2008, 08:58 PM) <{POST_SNAPBACK}>

Apparently these guys think Apple Clients are still vulnerable:

http://db.tidbits.com/article/9721

I just ran the terminal test on Panther and it's OK.

It will not work if you use a router and use that as your DNS Server.

However the fact that you "Passed" suggests to me that your ISP has patched their DNS servers.

Sandy

Edit

I had a quick think about all this and it might be a good idea to upgrade your router's firmware if you are using one.  I use DD-WRT and they updated their firmware last week.  Sandy gets a kick where the sun don't shine for not checking sooner  

yup, just ran it off the modem.

I've had many routers given to me or that I found here and there, today I'm using this one http://www.netgear.com/Products/PrintServe...rs/WGPS606.aspx which doesn't work with DD-WRT, my last one did but I gave it away.

A friend brought one of these back from London, it was a gift from Belkin.

http://catalog.belkin.com/IWCatProductPage...oduct_Id=377018


this is the support page for DD-WRT
http://www.dd-wrt.com/wiki/index.php/Suppo..._Devices#Belkin

[sandbox]

Two Black Hat Talks On Apple Security Cancelled
Posted by kdawson on Sunday August 03, @08:04AM
from the can't-say-that dept.
Security Apple
An anonymous reader writes

QUOTE

"Two separate Apple security talks have been nixed at the last minute from next week's Black Hat security conference in Las Vegas. The Washington Post's Security Fix blog reports that Apple researcher Charles Edge was to present on flaws in Apple's FileVault encryption plan, but asked Black Hat to cancel the talk, citing confidentiality agreements with Apple. Then on Friday, Apple pulled its security engineering team out of a planned public discussion on the company's security practices — which would have been a first for Apple. 'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

http://it.slashdot.org/it/08/08/03/0031228.shtml

[tacit]

I think there's a lot of confusion and misunderstanding about this security flaw.

First of all, you do not need to apply the patch; the flaw in BIND will not affect you unless you are running your Mac as a name server, for example if you are the owner of an ISP and you use Macs as DNS servers. If you are just a consumer using your Mac, then patching your Mac makes no difference. The patch only affects if you happen to be running the name server software called BIND on your computer and using your computer as a name server.

The thing that tells if you are affected or not does not tell you if your computer is vulnerable. Your particular computer is never vulnerable if it is not running as a name server. Instead, that test tells you if your ISP has fixed the problem on their name servers. So it is possible that you may not apply the patch and you'll get an OK response from the test, or you may apply the patch and get a not OK response from the test, because the test does not test your computer at all. It tests the computers in your ISP's data center.

[gunug]

I talked to the official Apple Technician who works in our part of the state today and he confirmed that whatever risks there were have been patched and that only in the most extreme conditions would it every lessen the security in a client workstation anyway!  I didn't seek him out we were just in the same meeting!

[sandbox]

QUOTE(tacit @ Aug 4 2008, 06:46 PM) <{POST_SNAPBACK}>

I think there's a lot of confusion and misunderstanding about this security flaw.

First of all, you do not need to apply the patch; the flaw in BIND will not affect you unless you are running your Mac as a name server, for example if you are the owner of an ISP and you use Macs as DNS servers. If you are just a consumer using your Mac, then patching your Mac makes no difference. The patch only affects if you happen to be running the name server software called BIND on your computer and using your computer as a name server.

The thing that tells if you are affected or not does not tell you if your computer is vulnerable. Your particular computer is never vulnerable if it is not running as a name server. Instead, that test tells you if your ISP has fixed the problem on their name servers. So it is possible that you may not apply the patch and you'll get an OK response from the test, or you may apply the patch and get a not OK response from the test, because the test does not test your computer at all. It tests the computers in your ISP's data center.

Ops, your right.... and I don't run a name server any longer.  

[krissel]

Well folks, seems as though the patch is not exactly flawless either:

http://www.nytimes.com/2008/08/09/technolo...xprod=permalink

[Xairbusdriver]

See posts #10 & 12.