I had sort of skimmed over the coverage of this DNS poisoning news, thinking it didn’t really apply to me as we don’t run any (public) servers. But John Welch explains the issue clearly enough for even distracted folks like me to understand:
security researcher Dan Kaminsky accidently discovered a technique wherein an attacker could compromise DNS servers (part of the essential functionality of the Internet) via what is known as Cache Poisoning. This technique allows an attacker to change, or “poison” the caches where DNS servers store the data that allow you to use “www.apple.com” to get to 220.127.116.11.
So let’s say, you want to get an update to an application. You enter in the URL, i.e. “http://www.goodvendor.com/”, and connect to that site to download the update. The problem is, the DNS server you use—say, your ISP’s or your own—has had its cache “poisoned”, so while you explicitly typed in the proper URL, you end up at some other server; instead of downloading the correct, safe update, you download a trojan horse and install it, because you think it’s safe. While attacks on DNS servers have been around for a while, this vulnerability made such attacks far easier to pull off than they previously had been.
This kind of attack makes most of the ways you detect phishing sites useless, because the URL will be the correct one, not some “almost” correct URL. You’ll just get re-routed to the wrong place. This is not theoretical either—there are active exploits for this right now.
Apple did really fail in this instance. I wonder what their reasoning was? I’ve still never read a compelling reason why Apple, of all major computer vendors, took so long to issue the patch.