Apple Has Yet to Patch DNS Vulnerability

A couple of weeks ago, we wrote about a major flaw in the way the DNS system works, and how all the major vendors had concerted and patched DNS servers to protect against this vulnerability. Well, Rich Mogull, writing at TidBITS, points out that Apple has not yet issued a fix for this problem for Mac OS X, and especially for Mac OS X Server, for which such a patch is much more important. (Most users of Mac OS X client don’t do DNS lookups via their Macs, but rather via a server or their ISP’s DNS server.) Mogull says, “All users of Mac OS X Server who use it for recursive DNS must immediately switch to an alternative or risk being compromised and traffic being redirected.”

We have written in the past about how Apple is slow to issue security updates, especially for the open source software included in Mac OS X and Mac OS X Server. Let’s hope they get hopping on this one, since security researchers around the world agree that this is a serious bug.

Apple Searching for Security Engineer for iPhone

Are you a security specialist? Do you want to work in Cupertino? Are you psyched by the iPhone? Apple is looking for you. The company has posted a job description for an “iPhone security engineer”:

Apple’s CoreOS organization is looking for an exceptional individual to validate the security architecture for the iPhone. As an implementer of advanced technologies in OS X, you will have the opportunity to have a major impact on Apple’s embedded operating system products.

More iPhone Vulnerabilities Spotted; No Patches Yet

Computerworld is reporting that security researcher Aviv Raff has discovered three bugs with the iPhone’s Mail and Safari applications. Raff has reported these to Apple, but apparently Cupertino doesn’t agree that all three bugs are security issues. This bug involves malicious users sending spoofed URLs that iPhone users may click and open in Safari, thinking they are valid URLs for banks, PayPal, etc. The other Mail issue makes accounts more vulnerable to spam, but Raff said nothing more, not wanting to spill the beans so the bug could be exploited more readily. This bug has already been patched in Mail for Mac OS X.

Raff recommends that users not click on any links they receive in e-mails on the iPhone, and said that if they want to avoid spam, they should stop using Mail on the iPhone. This latter comment surprises us - spam is related to an e-mail account, not an e-mail program, so we are curious as to how a bug in Mail could lead to receiving more spam. But we’ll keep an open mind and wait and see what becomes of this. In the meantime, you have been warned.

Apple Issues iLife Security Update

Apple has released a series of updates for iLife applications, with individual updates for iMovie, iPhoto and iWeb, as well as a general update called iLife Support. This patch, according to Software Update, contains security fixes, and Software Update provides a URL to find out more about the security content of the update. As of this writing, however, the URL just redirects to a more general Apple Security Updates page, which does not list the iLife Support update. We’ll keep you posted when Apple publishes more information. In the meantime, you can use Software Update to get these patches.

Mac Virus for Sale?

UPDATE: About 8 hours after posting the information below, the site is off-line. It is likely to remain so.

A curious web site has popped up: Miguel García Carmen’s site selling a Mac OS X virus. This person seems a bit megalomaniacal, writing, “MIGUEL GARCÍA CARMEN, this is the name APPLE will have to engrave in stone and STEVE JOBS will never forget, since this man has been the first to ever make such a file that when you uncompress it, it KO’s the system and Hard Drive. ” (The site in question is in Spanish; we have translated the text to present it here. Also, the site was created on July 21, the day the domain hosting it was registered.)

This person claims to have created a system virus that affects Mac OS X. “The goal of this file is to demonstrate after so many hours of work that it is actually possible to harm the latest Leopard 10.5.4 operating system.” But rather than give this information to Apple, or to other security researchers, Carmen is auctioning it off. (As of this writing, the highest bid is EUR 4,778, or $7,606.) Like something out of a bad spy novel, he claims that, “The file will be delivered in person and a test will be performed in front of the buyer so he can verify it is not a fraud.” Hmm… We wonder.

Carmen includes a video on the site, which shows something happening after he extracts a Zip archive. The hard disk icons on the desktop of his Mac flash; what that means, we don’t know, but we’ll stay on top of this in case Carmen is telling the truth.

(FWIW, we made PDFs of the web pages on the site, and copies of the site’s whois records, in the case that the site would go off-line…)

Macs Not Secure Enough for the Enterprise?

Infoworld has published a long article by Mac expert Glenn Fleishmann discussing the major security weaknesses of Mac OS X and why Macs are not secure enough for the Enterprise. Fleishmann doesn’t look for specific exploits or vulnerabilities, but rather at more global security issues in Mac OS X. These include the way Apple handles security updates (especially their unpredictability), the fact that third-party security flaws take too long to be patched, and Apple’s complacency about malware. Fleishmann’s points are all valid, and Apple will need to address these issues to fit better into the state of mind of corporate IT managers.

However, John Martello, writing at The Mac Observer, questions these points, saying that “the six arguments actually amount to a collection of shibboleths.”