Apple released security patches to address a number of serious threats this week. The computer industry has been critical of Apple's slow response to the domain name system (DNS) vulnerability that has caused a major stir throughout the computer industry.
Hundreds of different blogs, online magazines and newspapers ran stories on this topic over the past few days. Brian Krebs, who blogs for Washingtonpost.com, described the recent patches that Apple released in detail. He describes the situation this way:
"Security Update 2008-005 patches a serious flaw in the DNS that could allow hackers to hijack users' Internet connections or silently redirect them to counterfeit Web sites. Cisco, Microsoft, Sun Micrososytems and a host of Linux projects pushed out a coordinated fix for the flaw on July 8, when it was first disclosed, and Apple immediately took heat for not releasing its patch then as well."
However, the story gets more interesting. Computerworld and other online technical publications quickly declared that the DNS patch doesn't work. According to Andrew Storms, director of security operations atnCirce Network Security Inc, "The difficult news this morning is that we thought we were getting a patch, but we haven't gotten anything."
The article went further. "Storms' tests confirmed that even after Apple's update was applied, systems running the client version of Mac OS X were still incrementing ports, not randomizing them, as should have been the case if the fix had addressed the flaw."
For those who missed it, I first started blogging on this DNS issue a few weeks ago. Since that time, thousands of articles have popped up on many aspects of this problem. A Google search on "DNS flaw" now yileds over a million page views.
Tod Newcombe, Editor of Public CIO Magazine, sent me a great story from CNET News.com which describes Dan Kaminsky as The man who changed Internet security. The story is pretty amazing and shows a behind the scenes look at how vulnerabilities that are found can be difficult to address. Of course, this was a special case.
The article proclaims, "There have been other multiparty patch releases, but never has there been one on such a massive scale. It took someone with the gravitas and reputation of Kaminsky to pull together the affected parties."
Again, I urge all government enterprises to ensure that they have addressed this very serious problem. Active exploits are now available online.
Leave a comment