One of the things I really love about OS X is its Unix underpinnings. Under the hood we get all the *nix tools and utilities I’ve come to know and love. Printing with CUPS, remote shell with OpenSSH, Windows sharing with SAMBA, web publishing with Apache, and so on and so forth. This gives OS X great power, but it also places a great responsibility on Apple. Just like with any other software, vulnerabilities surface in open source programs. In general the open source community is very responsive to security issues, and patches are released quickly. Those patches protect those who update, but they leave those who don’t even more vulnerable. The reason for this is that the patches can generally be reverse engineered, making it easy for the bad guys to attack un-patched machines. In order to keep OS X secure Apple need to push out patches in the open source components in OS X to users as quickly as possible. This is where Apple fall down, they are notoriously slow at getting patches out.

[tags]Security, OS X, Apple, DNS, open source, BIND[/tags]

Last year Apple left it’s users vulnerable for months when it failed to push out a critical SAMBA update, now they are failing to push out a patch to ISC BIND to protect us from the critical DNS vulnerability that’s now threatening the web. The DNS flaw was announced on the 8th of June, and ISC BIND was patched that very same day, as indeed was Windows. In fact, there was a massive simultaneous release of patches because this flaw is so big and so dangerous. The fact that Apple didn’t take part in this simultaneous patch release indicates to me that they still don’t get security, and that they’re not ready to enter the enterprise.

Apple’s pathetic patching record means that I’d go so far as to call it professional negligence to deploy OS X Server in a corporate environment. It really pains me to have to say that, but Apple keep on proving my point by not patching the open source components in OS X in a timely fashion. Until we see a chance in Apple’s behaviour OS X has no place in a server room.

Unfortunately the problems are not confined to corporate server rooms. The DNS flaw affects any device that resolves DNS queries, that includes our home computers, and our Macs. Granted, in this case DNS servers are a much bigger and more tempting target, but your Mac is vulnerable none-the-less. What really annoys me about this is that Windows was patched on the 8th, as were all properly maintained Linux and Unix distributions. It really is just Mac users that still have to worry about this flaw, even if their ISP has patched their DNS servers. That stark reality really makes a mockery out of Apple’s security claims.

Apple need to fix their security practices soon, because one of these days Apple are going to get badly bitten by one of the flaws they fail to patch promptly. When the inevitable happens it won’t just be Apple’s reputation that will suffer, regular Mac users like you and I will be the ones bearing the brunt of Apple’s continuing hubris.