Apple released a security update for Mac OS X late yesterday to address a serious hole in Sendmail. Sendmail is the venerable e-mail server solution that handles fully 3/4 of all e-mail around the globe. It is also included in Mac OS X, but is turned off by default. Most of Sendmailis problems were found long ago through vigorous real-world testing and a long period of being known as the Swiss cheese of servers, but the new security hole has been labeled a serious one.
The flaw was found by Sendmail, Inc., the company behind the server package. The USis new Department of Homeland Security (DHS) then worked with Sendmail and Internet Security Systems, the group that found the exploit, to work out a patch. At the same time, the DHS worked with both companies to keep the exploit quiet until that patch was developed. This marks the first such incident that we know of in which the US government was involved in finding the solution to a software exploit.
It also marks a policy that Microsoft would like to see pushed, that of keeping exploits quiet until companies (i.e. Microsoft) have a chance to release a fix. That policy used to be the norm with exploit hunters, but many began releasing news of new exploits almost immediately when it seemed Microsoft would take months to release patches, if not ignore them all together. The stated purpose for most of these announcements was to pressure Microsoft into moving to fix the problem sooner, rather than later. That set in motion a fairly vicious cycle, but this might all change if the DHS can successfully pressure companies like Sendmail, Microsoft, and even Apple to fix these exploits ASAP. From a C|Net report on the issue:
"Working with the private sector, we alerted key owners of the vulnerable software and got them talking," said David Wray, spokesman for the IAIP Directorate. "We think this is a great example of how this should, and does, work. "The Department of Homeland Security got high marks from the security community for giving companies the necessary time to create the patch and for synchronizing its release.
"This is the model for what you do if you want to find a vulnerability," said Alan Paller, director of research for the SysAdmin, Audit, Network and Security (SANS) Institute, a research and education group that lets security companies, system administrators and others share information. "The DHS are the ones that can put the pressure on all the vendors and keep it quiet."
In the future, the Department of Homeland Security will be the U.S. agency that will manage any response to major cyberthreats.
Speaking of Apple, this is a supposed to be a story about the new Security Update for Mac OS X. Apple released its own fix for Mac OS X the same day that Sendmail announced the exploit. Appleis Security Update is based on the fix released by Sendmail, Inc., but Appleis release is required for all but hardcore CLI fiends to implement it in Mac OS X. The description from the Software Update Control Panel:
The Security Update addresses a security issue in Sendmail where a remote individual could gain access and control of the system. Although Sendmail is off by default in Mac OS, it is recommended that all users install this Security Update. This update also includes a newer version of OpenSSL that provides improved data confidentiality by addressing a recently-discovered security issue.
The exploit itself would enable someone to get root access to any system running an un-updated version of Sendmail. You can download the updater through the Software Update Control Panel, or through the Apple Knowledge Base article on the subject.