« A tip for future criminal geniuses | Main | Hear that flushing sound? »
Give us the DNS patch already, or tell us why you're the last vendor to issue a patch.
This ain't a product launch, and it's a real vulnerability, with live exploits and far reaching consequences, and your delay in issuing the patch is causing your customers real problems. What, do all your customers have to issue directives prohibiting the use of Mac OS X and Mac OS X Server on all boxes that face the public Internet, for you to realize how serious this is?
Because we can't justify the risks in the deltas between the rest of the world issuing a patch and Apple doing it in total silence. Not for critical vulnerabilities like this. Mac OS X has been out since 2000, you're not new at this anymore. Do we really have to start telling our reps that we're going to ban Apple from anything facing the internet for you to pull your heads out? Because once we make that decision, it's going to be years before you ever get a crack at reversing it. Face it, HP does not suck as a server vendor, and lord knows, they're cheaper than Apple on a corporate price list. (I can get Xserve-grade hardware for HALF the cost of an Xserve from HP.)
Oh, and yes, I can indeed roll my own BIND and other packages. But if I'm doing that, then wtf do I get our of Mac OS X that I don't get out of Linux, *BSD, Open Solaris, etc.? I mean, besides a lighter wallet and a pretty logo?
Technorati Tags:
TEH STOOPUD, Apple, Stop Being Dumb
Posted by John C. Welch at 13:26 | Permalink
Comments
Thanks John.
I am beyond exasperated by this situation.
We've been furiously patching, helping customers patch, and flogging customers to patch, every day over the past couple of weeks. The day the vulnerability was announced we scanned our netblock and discovered several hundred servers whose DNS configuration was listed as "vulnerable."
Within the first few days most of the servers were patched. However there are still close to 100 servers which are vulnerable, even now almost a WEEK after an actual exploit is out "in the wild.", ALL of them are MacOS X Server machines. Every single one of them. This is quite frankly unacceptable.
I'm almost to the point of telling our customers to run with a "roll your own" patch, since Apple is taking FOREVER to get theirs out the door. I know this WILL cause problems in the future (I lived through the "Apple Enterprise" aka NeXT Y2K security patch that completely obliterated my custom-built sendmail 8 install with sendmail 5(!) on NEXTSTEP. That was an awful experience!) But what is worse? Screwed now, or more work later?
Apple was notified by Kaminsky & Vixie (and US-CERT) on May 5th of this year. They've had THREE MONTHS to fix this. Most other OS vendors (even OSS) had patches THE DAY OF the announcement. ISC's BIND was quietly patched back in May. We run BIND on FreeBSD, and have been doing an internal DNS upgrade anyway, so our servers have been secure since early June. How is it that Apple could have sat on their hands for so long?
I agree with you about this being a key indicator that Apple is merely a casual participant in the enterprise space. There is no compelling reason to buy OS X Server and an Xserve anymore. You are better off with a Dell and Linux (or FreeBSD) than anything from Apple.
--chuck
Posted by:
chuckgoolsbee 
|
July 27, 2008 2:53 PM
