Apple has yet to patch serious DNS flaw

Despite the fact that security exploits for OS X aren’t running amok, we’ve always agreed that security should be a priority for Apple so that we can keep it that way. I don’t know if this should involve the use of cryptic runes or twelve-inch thick steel doors, but a good start would probably be a prompt, transparent patching process.

Over at TidBITS, Rich Mogull, Mac security guru extraordinaire, has pointed out that Apple is one of the few major vendors not to patch their software after a major flaw was revealed in the Domain Name Service (DNS). DNS in the Internet’s phonebook—it’s what prevents you from having to type http://70.42.185.232 into your browser’s location field when all you really want to do is go to MacUser—though if you were really a hardcore user, you’d have our IP address memorized.

The flaw in question, uncovered by security researcher Dan Kaminsky, revealed a method by which the DNS’s cache could be “poisioned”—that is, false data could be used to replace real data, so instead of going to your bank’s website, you would be sent to a fake website, even though your location bar would still tell you that you were at your bank’s site. Scary stuff.

Most major vendors issued a coordinated patch of the DNS software, but OS X, which uses the popular BIND DNS server, has yet to be fixed—the problem is more of a risk for OS X Server installations than OS X clients, which have BIND off by default.

It’s extremely important that Apple patch this hole as soon as possible—in the meantime, OS X users who want to take matters into their own hands can compile a new version themselves. Still, it would be nice to see Apple treat security with the importance that it deserves.