Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > The DNS exploit just got a whole lot more serious for Mac users

The DNS exploit just got a whole lot more serious for Mac users
Thread Tools
Tee
Mac Enthusiast
Join Date: Oct 1999
Status: Offline
Reply With Quote
Jul 28, 2008, 08:33 PM
 
http://blogs.zdnet.com/security/?p=1576
     
Person Man
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status: Offline
Reply With Quote
Jul 29, 2008, 12:06 PM
 
Originally Posted by Tee View Post
http://blogs.zdnet.com/security/?p=1576
This can be solved pretty simply. Sign the updates. If there is no signature or it's not Apple's, then it doesn't install.
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Jul 29, 2008, 12:34 PM
 
And fix Safari's behavior with second level domain names.

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
Chuckit
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jul 29, 2008, 12:56 PM
 
Safari's behavior doesn't seem relevant to DNS exploits, and it works fine for me anyway.

BTW, make sure your DNS is safe and use OpenDNS's 208.67.222.222 and 208.67.220.220 if not.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
Tee  (op)
Mac Enthusiast
Join Date: Oct 1999
Status: Offline
Reply With Quote
Jul 29, 2008, 02:53 PM
 
Originally Posted by Person Man View Post
This can be solved pretty simply. Sign the updates. If there is no signature or it's not Apple's, then it doesn't install.
I had hoped that the updates via 'Software Update' were signed already.

This is not good.

Just the other day I got an small update to NAV 11 on one just one of my machines - makes me wonder...
     
King Bob On The Cob
Mac Elite
Join Date: Apr 2002
Location: Illinois
Status: Offline
Reply With Quote
Jul 29, 2008, 03:05 PM
 
Originally Posted by Person Man View Post
This can be solved pretty simply. Sign the updates. If there is no signature or it's not Apple's, then it doesn't install.
No, don't do that.

How am I supposed to fake an update server at my work if they need to be signed?!
     
Person Man
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status: Offline
Reply With Quote
Jul 29, 2008, 06:09 PM
 
Originally Posted by King Bob On The Cob View Post
No, don't do that.

How am I supposed to fake an update server at my work if they need to be signed?!
The updater contains the signature. Not the server.

Attackers will not be able to spoof Apple's signature and therefore the installer should refuse to install it.
     
Chuckit
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jul 29, 2008, 06:42 PM
 
Originally Posted by Person Man View Post
The updater contains the signature. Not the server.

Attackers will not be able to spoof Apple's signature and therefore the installer should refuse to install it.
More precisely, the updates themselves would contain the signature and the updater would just make sure it's there and valid. So any update that originates from Apple, no matter how you downloaded it, would be accepted. This means a spoofed update server will be fine as long as it is serving legitimate updates.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
goMac
Posting Junkie
Join Date: May 2001
Location: Portland, OR
Status: Offline
Reply With Quote
Jul 29, 2008, 06:49 PM
 
Originally Posted by Chuckit View Post
More precisely, the updates themselves would contain the signature and the updater would just make sure it's there and valid. So any update that originates from Apple, no matter how you downloaded it, would be accepted. This means a spoofed update server will be fine as long as it is serving legitimate updates.
Edit: Nm, my reply is off topic now that I read what you wrote. ut at that point, you might as well run a real Mac OS X Server software update server, because if you're confined to Apple updates anyway...
8 Core 2.8 ghz Mac Pro/GF8800/2 23" Cinema Displays, 3.06 ghz Macbook Pro
Once you wanted revolution, now you're the institution, how's it feel to be the man?
     
zro
Mac Elite
Join Date: Nov 2003
Location: The back of the room
Status: Offline
Reply With Quote
Jul 29, 2008, 08:43 PM
 
Didn't we go through this like 8 years ago? I'm sure of it. A very, very similar exploit against Software Update in 10.1, at least.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 08:32 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,