Securing DNS on OSX

It’s been a few weeks since [Dan Kaminsky] announced the nature of the DNS vulnerability and allowed 30 days of non-disclosure for patches to be applied before details of the exploit went public. Unfortunately, the details were leaked early and it didn’t take long for a functional exploit to be released into the wild. Since then, many ISPs have taken steps to prevent their users from falling victim to the attack, and BIND, the widely-used DNS protocol implementation, was updated to minimize the threat. Even then, there were reports of a version of the attack being actively used on AT&T’s DNS servers.

Mac OSX uses a BIND implementation but as of yet, Apple has not released a patch updating the system (Microsoft, on the other hand, patched this up on July 8). As a result, machines running OSX are at risk of being exploited. Individual users are less likely to be targeted, since the attacks are directed towards servers, but it’s not a smart idea to leave this vulnerability open. [Glenn Fleishman] has published a way to update BIND on OSX manually, rather than waiting on Apple to patch it themselves. It requires Xcode and a bit of terminal work, but it’s a relatively painless update. When we tried it, the “make test” step skipped a few tests and told us to run “bin/tests/system/ up”. That allowed us to re-run the tests and continue the update without further interruption. [Fleischman] warns that people who manually update BIND may break the official update, but he will update his instructions when it happens with any possible workarounds. Unfortunately, this fix only works for 10.5 but alternative, yet less effective methods may work for 10.4 and earlier.

If you’d like to know if your preferred DNS servers are vulnerable or not, you can use the DNS checker tool from Doxpara. As an alternative to your ISP’s DNS servers, you can use OpenDNS, which many prefer for its security features and configuration options.

Boxee available for Ubuntu

The Boxee blog has recently announced that they have finally released a Linux version. So far, only Ubuntu 7.10 through 8.04 support is available. We covered Boxee when they released their alpha version a few months ago. One of the unique things we found about it was the added social layer that allows the user to share their viewing and listening information on various social networking sites.

This XBMC based media streamer has won a lot of praise lately and we are excited to finally see it step into the Linux platform. Up until now, Boxee was strictly run on OSX 10.5 and thus bound to Apple’s hardware configurations. Once they get a stable version running, it will be extremely easy for anyone to build a media streamer from an old PC with various hardware configurations.

EFiX dongle still not available

Well, it’s June 23rd, and still no dongle from EFiX. Despite a new product page on the company’s site, the OS X installing dongle is still not available for purchase. The USB dongle is supposed to facilitate the installation of Mac OS X by booting the Leopard install DVD on PCs, but so far no one has been able to verify this claim as no one has one of these in their hands yet. We’ve been covering this story since the beginning, and we’ll be sure to let you know when you can actually buy one of these.

[via Engadget]

Neutering the Apple Remote Desktop exploit

Yesterday, Slashdot reported a privilege escalation vulnerability in OSX. Using AppleScript you can tell the ARDAgent to execute arbitrary shell script. Since, ARDAgent is running as root, all child processes inherit root privleges. Intego points out that if the user has activated Apple Remote Desktop sharing the ARDAgent can’t be exploited in this fashion. So, the short term solution is to turn on ARD, which you can do without giving any accounts access privileges. TUAW has an illustrated guide to doing this in 10.4 and 10.5.

EFiX boots Leopard retail DVDs on generic hardware

On June 23rd, EFiX is planning on releasing a USB dongle that will let any PC boot and install OSX from a retail DVD. The commercial device is supposed to take care of all patching and other woes OSX86 enthusiasts have had to deal with. Very little information is provided other than a statement that the development process took a lot of time and that they overcame “sabotage”… so, it’s got that going for it. Major OSX86 contributor (and Psystar hater) [Netkas] received a device to test and was pleased with the results. We’re just going to wait and see what happens. Not that it matters; they have no plans of releasing it in the US.

[via InsanelyMac]
[photo: Mario Seekr]