Apple Product Security retardedness
thanks to @wisequark: http://db.tidbits.com/article/9706
Oh, so I wasn't the only one who noticed this (back on july EIGHTH at http://twitter.com/janeylicious/statuses/853484169).
Yes, all versions of OS X (most importantly OS X Server) ship with an affected version of bind. No, Apple doesn't want to say anything. You know WHY apple doesn't want to say anything?
For the protection of our customers, Apple does not publicly disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.
from someone on the apple product security team. seriously.
Oh yeah. Wait, this has already been disclosed to the public and has been patched by multiple vendors (all on the same day too!). There is a metasploit exploit for this vuln that's a couple days old now (http://metasploit.com/dev/trac/browser/framework3/trunk/modules/auxiliary/spoof/dns). For fucks sake, my mom can use metasploit. Many well-known security researchers and Kaminsky in particular have been urging *everyone* to patch their DNS servers already. The vulnerability itself was announced HALF A MONTH AGO.
And nooo Apple won't disclose anything.
And what's even more fucked up? My ISP and many others seem to have no fucking clue about this at all.
Yay.
Oh, so I wasn't the only one who noticed this (back on july EIGHTH at http://twitter.com/janeylicious/statuses/853484169).
Yes, all versions of OS X (most importantly OS X Server) ship with an affected version of bind. No, Apple doesn't want to say anything. You know WHY apple doesn't want to say anything?
For the protection of our customers, Apple does not publicly disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.
from someone on the apple product security team. seriously.
Oh yeah. Wait, this has already been disclosed to the public and has been patched by multiple vendors (all on the same day too!). There is a metasploit exploit for this vuln that's a couple days old now (http://metasploit.com/dev/trac/browser/framework3/trunk/modules/auxiliary/spoof/dns). For fucks sake, my mom can use metasploit. Many well-known security researchers and Kaminsky in particular have been urging *everyone* to patch their DNS servers already. The vulnerability itself was announced HALF A MONTH AGO.
And nooo Apple won't disclose anything.
And what's even more fucked up? My ISP and many others seem to have no fucking clue about this at all.
Yay.