Apple Fails to Patch Critical Exploited DNS Flaw
Most of you likely know that I’m a Mac user and a big fan of Apple, though I’m also the first to admit they’re not perfect and I will buy other companies’ computer products without hesitation when they better suit my needs. My Asus Eee PC, for example, was a much better choice for me than the twice-as-expensive Apple MacBook or the similarly-priced Apple iPod Touch for light web surfing and writing where my MacBook Pro is overkill. But, while I’m generally ‘positive’ on Apple, they occasionally do stuff that just drives me batty.
One thing they do is they tend to lag behind on patching major cross-platform security vulnerabilities. Mac OS X and its UNIX (BSD) brethren, as well as Linux (basically a UNIX clone), are pretty secure operating systems out of the box, but they do occasionally have flaws—even serious ones. I wrote recently about a critical flaw in the DNS system that affects all major operating systems, including Mac OS X. The Mac OS X server version uses, by default, the same open source BIND DNS server that most major Linux distributions use.
BIND has been patched by the folks who make it, but Apple—who was made aware of the bug the same time everybody else was, and knew about the coordinated patch day well in advance—has yet to distribute the updated BIND server to its customers through Software Update. This is inexcusable. Knowledgeable Mac system administrators can compile their own BIND server from the source and replace the insecure version (one of the beauties of running a system that is, at its core, based on open source), but Apple needs to proactively patch this hole in their server product immediately like every other major OS distributor—including Microsoft—already has.
Update 8/1/2008: Apple patched this vulnurability yesterday with Security Update 2008-005. Mac OS X Server administrators should apply this patch immediately, as should all desktop/laptop users of Mac OS X.