Re: [Fed-Talk] OS X DNS clients still unpatched?
Re: [Fed-Talk] OS X DNS clients still unpatched?
- Subject: Re: [Fed-Talk] OS X DNS clients still unpatched?
- From: "Peter R. Link" <email@hidden>
- Date: Fri, 8 Aug 2008 11:11:28 -0700
Let me approach this another way. How many federal systems use a DNS
server based on OSX? I figure very few, if any. This isn't a slam
against Apple. It's just an understanding that DNS servers have been
around longer than OSX Server has so just use the existing server. I
believe ours is a standard Linux-hosted DNS server; probably using
free software. If I understand Ed's remarks, as long as our
institutional DNS server is protected, then it would take an inside
person to attack clients using that DNS server. I hope that everyones
infrastructure is configured to dictate which services to use.
On Aug 8, 2008, at 10:26 AM, Dan O'Donnell wrote:
OSX Server is not required to run DNS. A standard OSX client has
BIND DNS
and it can be argued that this would be a cheaper DNS server than
paying for
a full OSXS just to run DNS.
However, since Apple has not yet patched DNS on client OSX, this
would be a
potential security risk.
On 8/8/08 9:59 AM, "Peter R. Link" <email@hidden> wrote:
I saw this website and DNS check application posted a couple of days
ago. I tried it from a home computer to see what it said. My Comcast
connection seems to have additional controls that safeguard against
DNS spoofing. I also saw an article that supports Ed's comments about
the client being the less critical part. I haven't tried setting up a
Leopard server with its DNS server application turned on to see what
the DNS check application tells me.
http:// www. doxpara.com/
On Aug 8, 2008, at 9:46 AM, ED Fochler wrote:
I strongly disagree. Although Apple was a little slow to address
DNS and the ARD-applescript problems, they appear to be addressed.
As for the DNS client being vulnerable, that would imply that you
can't trust your local DNS server or your local network. If that's
the case, then you have bigger problems than how random your ports
are.
ED Fochler.
On Aug 8, 2008, at 12:23 PM, Jason Levine wrote:
Wow -- I didn't know that the DNS patch pushed out by Apple (three-
plus
weeks later than every other provider) actually doesn't patch what
might be
argued to be the more *critical* side of the DNS bug, the client
side:
http:// www. sans.org/newsletters/newsbites/newsbites.php?
vol=10&issue=61#sID3
04
http:// www. computerworld.com/action/article.do?
command=viewArticleBasic&arti
cleId=9111363&source=rss_topic17
http:// www. informationweek.com/news/hardware/mac/
showArticle.jhtml?articleID
=209901566
Given how tight-lipped Apple is with any security-related info, I
won't
presume that this post will generate any official Apple response...
but
Apple reps, know that this looks *BAD*, and makes it that much
harder to
convince my folks here that using Macs on the desktop is a secure
option.
Jason
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
@mail.nih.gov
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
__________________________________________________________________________
This email message is for the sole use of the intended recipient(s)
and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all
copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden