Yesterday Apple released security update 2008-005 which was supposed to fix the DNS flaw I recently complained about Apple not having fixed yet. Well, it appears that Apple only half-fixed the problem. Yes, they have fixed the BIND DNS server in OS X, but in reality that only protects X-Serves running a DNS server. Sure, regular OS X ships with the BIND DNS server installed, but it’s not on by default, and almost no one turns it on. What we all use all the time is the stub resolver that’s part of OS X, and that’s what Apple didn’t fix. This means that regular Mac users are still not protected from this DNS flaw while just about everyone else is.

[tags]Apple, OS X, DNS, vulnerability, security[/tags]

How worried should you be? That depends entirely on your situation. I’m going to break this up into two groups of people, those with direct internet connections, and those without. Since most of us don’t have direct internet access these days lets start there. Within a corporate, education, and home environment just about all users are either behind firewalls or NAT routers (almost all home internet routers are NAT routers). Whether your behind a NAT router or a firewall the effect is the same, unsolicited packets from the internet can’t hit your Mac. This means that no one outside of your LAN can send malicious DNS packets to your Mac in order to poison it’s DNS cache. For people without direct internet access the only people who can attack them are those on the same LAN. In the home environment that means you probably have nothing to worry about. In corporate and education environments, however, I wouldn’t be so comfortable. Particularly in education environments I wouldn’t trust that no one with bad intentions has access to the LAN.

Next we come to those of us who connect directly to the internet. This includes anyone with dialup internet, and anyone with a modem rather than a router for their broadband. Here in Ireland some ISPs give out modems because they’re cheaper, and I’m sure the practice is the same in other countries. My ISP (Irish Broadband) does this for their DSL customers. If you have a modem and then connect that directly into a NAT router you won’t actually have a direct connection though. In that case there is still a NAT router between your Mac and the internet so you’re protected from outside traffic. However, if you stick that modem straight into your Mac you will have a direct connection. Anyone with a direct connection can be attacked by anyone on the internet. If I were in that situation I’d be very nervous indeed.

But how likely is an attack against a single computer? At the moment, the consensus is that attackers are concentrating on bigger targets like the DNS servers of ISPs, corporations, and educational institutes. However, once those servers have all been patched the attackers could start concentrating on the next lowest hanging fruit, home users. It should also be noted that many of us sitting behind our NAT routers are also not safe because many of our routers are actually vulnerable too! Expect a lot of firmware updates for routers in the next while, and patch your router as soon as you can.

So, in short, for the moment the threat against home users is small so don’t panic. However, the fact remains that Windows and Linux users are protected, while Mac users are not. Apple need to sort this out before attacks on home users start happening. They’re still behind the curve on this one, and that’s just not good enough.