The Primary Security rule for a Mac is to NEVER download or install a program from Someone or Someplace you Don’t know.

If your going to download a Utility or Application, it is usually better to goto Macupdate.com, Versiontracker.com, or some other trusted site to get the file.

DNS Poison Cache Problem

New York Times Article

Security update released by Apple.Description Security Update 2008-005. For Tiger and Leopard. Apple’s release appears to be incomplete. They have fixed the BIND code that is used by very few people not running servers, but have not fixed the DNS resolver code used by everyone. Admittedly, the part they fixed 3 weeks late is the part that has attacks already in the wild. Initially the bad guys are after the ISP’s and big DNS providers. (Note: The attack on individual machines have not been found in the wild. Probably because the bad guys get better results, more computers, attacking ISP’s. Furthermore, Good News: The NAT built in to a router will protect your machine from attack. Bad news: Routers themselves are probably open to attack until their firmware is upgraded.)

10.5.5 update fixes DNS vulnerability (and Security Update 2008-006) fixes a critical DNS vulnerability that could allow attackers to trick victims into visiting malicious Web sites using what’s known as a “cache poisoning attack.” Although Apple’s release notes say BIND was updated “to address performance issues,” the update also delivers the promised address port randomization that protects users from such cache poisoning attacks. The original patch offered protection for Apple’s servers but did not completely protect client systems. Apple’s updates fixed flaws in several applications and system components, including some that attackers could use to run unauthorized software on a user’s computer.

The only attack in the wild is the one against ISP’s and DNS providers. This is the one you should be concerned about right now. If your ISP has not fixed the problem I would consider using OpenDNS or so other DNS provider which has already fixed the problem. This is the most serious Security issue in recent memory. It has not all been fixed or solved. I would only worry about the part you can do something about (See below. The next step will be to keep an eye for firmware updates for your router.

Recently, a significant threat to DNS, the system that translates names you can remember (such as www.sbamug.com) to numbers the Internet can route (66.240.226.139) was discovered, that would allow malicious people to impersonate almost any website on the Internet. Software companies across the industry have quietly collaborated to simultaneously release fixes for all affected name servers. Many ISP’s have not as yet fixed this hole. The primary way most people will see this problem is because their ISP/DNS Server provider has the problem.

Although it can affect your computer if is it is not behind a firewall or a NAT. A patch has been released for windows but no word on whether the Mac has the problem or Not. — It probably does do the fact the flaw seems to be in all OS’s except OpenBSD.

Recommended Fix

Proceed to http://OpenDNS.com and install/use their Free DNS server. Instructions are available at the site. You do not have to use your ISP’s DNS. Furthermore, this free service has a number of great services that you might like.

Test For Problem

Method 1

Goto this link: DNS Test. It will automatically test your system.

Method 2

Enter the following into a Terminal window.

dig +short porttest.dns-oarc.net TXT

To test a specific DNS server, you can add @-ip as follows You should get back an answer that looks like this:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.67.219.11 is GOOD: 26 queries in 0.1 seconds from 26 ports with std dev 14296.56"

The above Good score came from a OpenDNS Server.
The following will test a Verizon DNS Server.

dig @4.2.2.2 +short porttest.dns-oarc.net TXT

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"209.244.7.54 is FAIR: 26 queries in 0.4 seconds from 26 ports with std dev 3692.09"

Your resolver’s randomness will be rated either GOOD, FAIR, or POOR, based on the standard deviation of observed source ports. In order to receive a GOOD rating, the standard deviation must be at least 10,000. For FAIR it must be at least 3,000. Anything less is POOR. The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.

DNS records used in this test are given 60 second TTLs. To repeat the test you should wait at least 60 seconds.

Method 3

To find out if the DNS server you use is vulnerable. Proceed to the following website, http://doxpara.com/, and press Check DNS.

ARD Agent Security Hole

This new security hole can only hurt you with your help. You must execute the file.

Workaround available

Problem with 10.5 Leopard and 10.4 Tiger operating system. Security update released by Apple.Description Security Update 2008-005.

From MacWorld.com

Navigate to /System -> Library -> CoreServices -> RemoteManagement, and Control-click on ARDAgent. In the contextual menu that appears, select Compress ARDAgent (in 10.5; in 10.4, I believe it will say Create Archive of ARDAgent). This will create a zip file of ARDAgent on your Desktop (as you don’t have rights to modify the original folder).

Next, drag ARDAgent to the trash can, provide your admin password when asked, then empty the trash. Finally, drag the zipped version of ARDAgent into the RemoteManagement folder, again providing your password when asked. (This last bit is optional; you can keep the file wherever you like, but I find it easier to store it where I know it belongs.)

When Apple releases a security update to patch this hole, expand the zip archive before running Software Update—so that Software Update will find the full application to patch. Note that this solution will prevent anyone from using Apple Remote Desktop to control your Mac. If you’re in such an environment where someone needs access to Apple Remote Desktop—say, in a business or in a school—you’ll need to speak to your administrators about their preferred solution to this problem.

From: MacFixIt.com

Leopard comes with Apple’s Remote Desktop Agent installed, so users can run screen sharing on their computers. This is exceptionally convenient for users, but there is a major flaw in the Apple Remote Desktop Agent (ARDAgent) which allows shell scripts to be run as root. This is caused by the Agent’s “set-user ID on execution” bit, for which it resolves to root. As such, code can be run as root, which can severely compromise the system.

This problem affects all users, and not just screen sharing or remote desktop users. Luckily there are limits to its execution, and it requires explicit

Workaround Apple is aware of this problem, but until they issue a patch for ARDAgent, running the following command to remove the setting of user/group ID upon execution will prevent the execution of commands as root:

sudo chmod -s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

If this leads to any faulty screen sharing behavior, then users can switch it back to normal by entering the same code with the “+s” option instead of “-s“, as follows:

sudo chmod +s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Note: This fix can be removed my Repairing Disk Permissions. It resets the permissions changed to protect you in this case.

ARDAgent Test

Enter the following line into terminal. If it responds with root then the problem exists. If it responds with your short name, then things are probably OK.

osascript -e 'tell app "ARDAgent" to do shell script "whoami"'