tigers
join:2001-01-14
Irmo, SC | [SU] FYI the DNS security exploit fix is now in Software Update
Just noticed this and I'm happy to see this one get fixed. |
|
joeybee
Joey
Premium
join:2003-08-12
Hamilton, ON
clubs: | Re: [SU] FYI the DNS security exploit fix is now in Software Upd
Also the ARD exploits are fixed in this too. |
|
Cabal
Premium
join:2007-01-21
Boston, MA
| reply to tigers
Only the DNS server was fixed, client libraries are still vulnerable. Be careful.
»isc.sans.org/diary.html?storyid=4810
--
Interested in open source engine management for your Subaru? |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
 ·SureWest Internet
1 edit | This is not an issue. The "client libraries" are DNS resolvers and they can't be poisoned. Its the DNS servers and DNS caches that can be poisoned. Someone please correct me if wrong.
I'll correct myself, DNS cache poisoning is possible with dns stub resolvers (Google: "dns cache poisoning stub resolver"). However the probability of such an attack is very low unless the attacker has control of an ISP or other large target (and all bets are off at that point). |
|
Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
clubs:  | reply to tigers
So far this update has killed 2/3 Intel CD2 minis. The first one was fine then killed the next two test machines.
Fun. |
|
Epyon9283
Premium
join:2001-12-26
Dayton, NJ | reply to tigers
Thats pretty impressive. I've yet to have an update kill a box.
Kind of pissed Apple half-assed the fix for the DNS issue. Why leave the stub resolver vulnerable? Every other major OS vendor out there fixed it... |
|
antwanp
Beyond FM, Beyond AM, XM Satellite Radio
Premium
join:2002-05-14
Cedar Hill, TX
clubs:
 ·T-Mobile US
 ·RoadRunner Cable
| reply to tigers
Downloaded and updated my MacBook Pro. Although, this entire time I never worried about the DNS Vulnerabilities. I use OpenDNS for my networks and notebooks.
-Antwan L.
--
The Perils of Living in 3-D: »www.antwanpayne.com |
|
haroldo
join:2004-01-16
united state | reply to tigers
For the benefit of simple folk out there, like me, may I ask if this is a major security issue?
I use Open DNS, does that protect me against this exploit? Can someone please dumb this down to my level?
Thanks! |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | No worries. |
|
antwanp
Beyond FM, Beyond AM, XM Satellite Radio
Premium
join:2002-05-14
Cedar Hill, TX
clubs:
·T-Mobile US
·RoadRunner Cable
| reply to haroldo
If you use OpenDNS then you are protected 100%, and have been since this all began.
The exploit basically was that the ports chosen were predictable (consecutive ports) and could be easily spoofed by nefarious people... With randomization, which OpenDNS has been doing, the hole is essentially patched.
I hope I explained it right... |
|
Epyon9283
Premium
join:2001-12-26
Dayton, NJ
| said by antwanp  :If you use OpenDNS then you are protected 100%, and have been since this all began. The exploit basically was that the ports chosen were predictable (consecutive ports) and could be easily spoofed by nefarious people... With randomization, which OpenDNS has been doing, the hole is essentially patched. I hope I explained it right... The BIND server that Apple ships with OS X was patched. This does nothing for most people as it's disabled by default.
The DNS stub resolver is still using sequential source ports. This means someone could still poison the local DNS cache on your machine. Using OpenDNS limits your exposure but since Apple didn't do it's job you're still vulnerable. Someone would want to have to poison your machine's cache but its still possible. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
·SureWest Internet
| said by Epyon9283 :The DNS stub resolver is still using sequential source ports. This means someone could still poison the local DNS cache on your machine. Using OpenDNS limits your exposure but since Apple didn't do it's job you're still vulnerable. Someone would want to have to poison your machine's cache but its still possible. And that someone would need to have control of your connection to the Internet, effectively limiting the attack vector to wireless hotspots. Of course if the bad guy had control of your ISP they could attack, but if they have control of your ISP they wouldn't bother with your computer and instead focus on your ISP's dns cache that serves most of the ISP's customers.
So for most people the current dns stub resolvers are just fine. I'm not excusing Apple and want it fixed ASAP, however it isn't a real security concern for me. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
·SureWest Internet
| reply to Epyon9283
said by Epyon9283 :Kind of pissed Apple half-assed the fix for the DNS issue. Why leave the stub resolver vulnerable? Every other major OS vendor out there fixed it... IMHO the real issue here is that all other major vendors released a patch on July 8th while Apple twiddled their thumbs and waited until July 31st. That is seriously wrong and my opinion of Apple's security awareness and responsiveness has dropped to new lows. Instead of mocking Microsoft the management team at Apple needs to take security seriously and move fast to resolve issues. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| reply to bbarrera
said by bbarrera :said by Epyon9283 :The DNS stub resolver is still using sequential source ports. This means someone could still poison the local DNS cache on your machine. Using OpenDNS limits your exposure but since Apple didn't do it's job you're still vulnerable. Someone would want to have to poison your machine's cache but its still possible. And that someone would need to have control of your connection to the Internet, effectively limiting the attack vector to wireless hotspots. Actually they wouldn't need to be on your network, they just have to spoof replies to your IP.
But given the numbers involved and the brute-force nature of the attack, it would make no sense at all for someone to attack a single home user. They want to hit caching servers that many people use so that they have more targets when they spoof www.yourbank.com or whatever. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
·SureWest Internet
| said by sporkme :Actually they wouldn't need to be on your network, they just have to spoof replies to your IP. That's what I meant, I didn't mean to imply 'behind my router' and instead they need to be between my router and my ISP to spoof IP ('control of your connection to the Internet'). |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| said by bbarrera :said by sporkme :Actually they wouldn't need to be on your network, they just have to spoof replies to your IP. That's what I meant, I didn't mean to imply 'behind my router' and instead they need to be between my router and my ISP to spoof IP ('control of your connection to the Internet'). Nope, they can be on any ISP that does not filter IPs not routable by them. It's UDP and a one-way deal. The hack relies on sloppy ISPs (not necessarily your own) that do not filter outbound traffic well. The attacker is changing the source IP of the packets to the IP of the DNS server that is providing the answer they'd like to forge. |
|
