Close your Twitter and FriendFeed; drop that iPhone; put your shoes on and order some pizza its gonna be a late night full of patching DNS servers. At least that's what you'd think I'd be writing about today. Multiple DNS implementations are vulnerable to cache poisoning and it is a relatively big deal. The bigger deal that we seem to be overlooking is Microsoft's role in this event and how the competition stacks up.

Today is July 8th 2008. Its what we call Patch Tuesday and by normal accounts it's a day that people like myself, who work professionally in information security, already know quite clearly what is on today's plate. However, today's patch Tuesday is a bit different. Thanks to a number of influential security professionals, we have a significant multi vendor and multi agency coordinated release going on. Today, Microsoft is not the only game in town today.

When we talk about today's DNS vulnerability announcement, I'm not fretting over my Windows servers or my XP laptops. The vendors we need to be concerned with today are the 90+ other companies listed on the CERT advisory that have provided no status information regarding their products. Many of these vendors were apparently notified in April and May of 2008. Three months later, the advisory is now public and many high profile vendors have the dreaded "unknown" status. I'll save you the time to read the vendor list and highlight a trend I've talked about before:

Cisco: Vulnerable
Foundry: Not Vulnerable
ISC: Vulnerable
Juniper: Vulnerable
Microsoft: Vulnerable
Nominum: Vulnerable
Power DNS: Not Vulnerable
Sun: Vulnerable
Apple: Unknown

That is correct. The company, which insists it, has the most secure operating system. The company, which continues to try and penetrate the enterprise computing market, is listed as unknown. This is also the same company, which lost its splashy smartphone to a previously patched bug in an open source project. Not much later, its brand new laptop keeled over in less than 2 minutes at PWN2OWN.

In comparison, we know that back in March engineers from major vendors met at Microsoft to plan and coordinate today's events. Further, not only do we know what Microsoft products are vulnerable, but we also have patches. The reason for this is simple - Microsoft is an enterprise vendor:

Microsoft has a predictable and regular patch release cycle.
Microsoft communicates to the public about it security issues.
Microsoft has a publicly readable and defined security glossary of terms.
Microsoft has a well-run security development life cycle.

We may not always like Microsoft or Microsoft products (hint: please extend the support of XP), but today's round goes clearly to Microsoft.

Updates

7/9/08: Add Vendor References

http://sunsolve.sun.com/search/document.do?assetkey=1-26-239392-1
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
http://www.isc.org/index.pl?/sw/bind/bind-security.php
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx

1. Apple ships a software update the same day the hardware is released.

This is clearly indicative that Apple struggled to get the product to market on time. It's an old trick. Ship the product and hope that by the time it hits consumer's hands, you'll have a massive update available for download. After a few days of heavy usage, developers are blaming Apple when users complain of spurious application crashes. According to developers, it's not a problem with their application, but with new 2.0 firmware. The enterprise invests in quality. A rushed product will inevitably mean problems.

2. Apple's own update infrastructure isn't designed to handle the load.

Enterprises can't afford failure and on release day, Apple's activation system keels over. Apple knew exactly how many iPhones were available to be sold. They simply didn't architect their infrastructure to handle the known demand. This is not like some mom and pop website getting Slashdott'ed. While consumers couldn't activate their iPhone is one problem, it also affected all users trying to use the iTunes store. If an enterprise is dependent upon this infrastructure, then prepare yourselves for outages.

3. iPhone 2.0 firmware already hacked.

In fact it was hacked before it became officially released. This is all about compliance and homogeneity. While Apple fights to keep the iPhone locked for contractual and revenue reasons, the enterprise wants it locked for compliance. A system not to the IT common spec is considered a rogue device. Rogue devices cause increased workload and introduce security risks.

4. Enterprise customers get the bait and switch.

While I may be the viewed as the "iPhone hater", I still attempted to order an iPhone from my corporate AT&T wireless account manager. After weeks of receiving email pitches to place an order, we are told at 5pm Thursday night our account isn't eligible. But I could upgrade the account type. No thanks, that's lingo for "let me lock your company into a monthly commitment plan".

5. iPhone configuration utility not quite there yet

Along with Active Sync support, Apple also released the iPhone Configuration Utility. This is a reactive step forward for Apple. They seem to have realized that IT operations need centralized configuration and management tools even when it comes to smart phones. The problem for Apple is that it's a stepchild of a utility. The configuration product is a third party tool that has no integration points with Exchange, Active Directory or any other centralized enterprise infrastructure. Further, it exhibits Apple's failure to understand true policy compliance and enforcement because it requires IT to distribute configuration XML files in email or over the web. This is not policy enforcement, its policy inclination.

Link to PC World Article

Link here

Being an IT manager and security professional, this story make me shake my head. It has certainly been the talk soup at the office today. A few quick thoughts on this.

Terry Childs seems to have backed himself into a corner and created a no-win situation. He had to have been in a desperate position to take the system hostage by blocking access and refusing to hand over passwords. Unfortunately for Childs, real life computer security rarely works like it does in the movies, bargaining power is limited by the long arm of the law.

Child's managers should have known better. A situation like this could only occur if safety nets and best practices were ignored or circumvented. Any security program that could allow one person to cause much damage is seriously deficient, especially since this has apparently been going on since June 20th.

The big question in my mind concerns the ramifications of continuing to run a system that could have been rigged to remotely delete data. If this concern turns out to be accurate, every minute that the city keeps the system up while it is not entirely in their control is another minute that city data is in jeopardy. A compromised system could mean data is deleted and confidential information gets leaked. Both of these are a significant risks.

Update:
Linked to the Robert McMillan article in PC World since he used my quote.